Why encryption is essential for everyone [Q&A]
If your laptop or smartphone gets lost or stolen, there’s the danger of its contents being accessed, which could prove a nightmare. If the device is encrypted, however, you can rest easy… Or can you?
Ebba Blitz, CEO of laptop encryption company Alertsec (and former host of Sweden's Shark Tank), chatted with me about the benefits and potential pitfalls of encryption, and revealed her top tips for keeping your data secure.
BN: Alertsec offers a novel approach to encryption, what can you tell me about it?
EB: Alertsec makes it possible for SMBs and individuals to get laptop encryption as a managed service. Our helpdesk handles the hassle with encryption and is standing by 24/7. Encryption normally requires an IT department to manage keys and have the capability to provide recovery for lost data in case of hardware failure. For this reason, full disk encryption has previously only been a solution for large enterprises.
BN: Why is encryption so important?
EB: As data theft and security breaches are trickling down the food chain, small- and medium-size companies need to protect their data as well. The value of personal information is growing by the minute as this data can be used to perform all kinds of economic crimes such as insurance fraud, bogus tax returns and other scams. The value of personal information is huge and growing rapidly as data thieves become smarter and there is so much money to be made.
HIPAA was launched to protect the individual’s sensitive information. As a consequence, any entity that sits on sensitive third-party information, such as Social Security numbers and health records (ePHI) is strictly responsible for the protection of this information. If a laptop containing ePHI of more than 500 persons is lost or stolen, the breach has to be published on OCR’s web page -- also known as the Wall of Shame.
Should your company have a breach as a consequence of lost sensitive information, you might be up for lawsuits, fines and possibly loss of customers. Research by the National Cyber Security Alliance shows that 60 percent of SMBs are out of business six months after a breach.
Having full disk encryption installed protects both you and your customers/clients from this risk.
BN: What’s wrong with the built-in options available, such as BitLocker?
EB: You want to make sure that your computer is encrypted. BitLocker is geared towards larger organizations that run IT over Active Directory. Without your own IT department, encryption with BitLocker can be quite challenging. You need to have a TPM (Trusted Platform Module) chip installed. If you don’t have a TPM chip installed you need to access the Local Group Policy Editor (which is a rather unfamiliar tool) and change a few settings. BitLocker also doesn’t work on Windows Home Edition.
If your laptop is lost or stolen you want to be able to prove that it was encrypted at the time of the loss for compliance reasons. This is difficult when BitLocker is not a part of a corporate network.
You most likely want access to a helpdesk to do password resets and to help you with recovery in case of hardware failure. An encrypted computer that you can’t get access to is just…frustrating. A helpdesk on call 24/7 is invaluable when needed. With a stand-alone solution, such as BitLocker, you’re on your own. When your encryption key is needed you’d better make sure you know where you put it, as there is no helpdesk functionality tied to BitLocker.
BN: What’s your view on the recent Apple vs. the FBI spat?
EB: I think that it was very interesting, because it showed how strong encryption is. Having encryption in place is very good protection -- almost too good even for the FBI, apparently. However, it’s important to understand that activating the passcode on your iPhone is not the same thing as having password protection on your laptop. I think that there is quite a bit of education to be done in this respect. Enterprises have it down and mandate full disk encryption. SMBs are getting there but normally get it after they have already lost a laptop. It’s like getting fire insurance after your first house burns down.
BN: What do you think about back doors?
EB: Encryption is binary -- it is either safe or not safe. Back doors would weaken encryption for everyone. There’s no room for back doors in IT security.
BN: What can users and businesses do to keep their data secure?
EB: Data can either be in transit or at rest. For data in transit you need to make sure that you set up a secure communication to access your cloud accounts or servers. Add multi-factor authentication, so that it’s the right person that’s performing a certain task. Add a personal firewall to every endpoint.
Where does data sit most of the time? It’s at rest. Either stored in the cloud, on a server and/or at the endpoints, such as laptops or desktops. Make sure that your cloud provider encrypts your data, put your servers in safe rooms and support them with firewalls and encryption. When that’s taken care of, you are probably the weakest link. If you lose an unencrypted laptop it doesn’t matter how much security your cloud providers have -- as all your login credentials are in clear text unless you have implemented full disk encryption. If someone has physical access to your laptop, full disk encryption protects your emails, login credentials to cloud applications, Word documents, PPT, social media accounts… all of it!
You also need to train your staff so that they don’t click on malware and set policies and procedures for how transactions are performed.
BN: Where do you see the future of encryption?
EB: To quote Ray Kurtzweil, "Technology has always been a double-edged sword -- like the fire that kept us warm and cooked our food but also burned down our villages". Security measures are a prerequisite for the fantastic possibilities of new technology. Just don’t let technology be turned against you.