Global Encryption Day: Protecting our first line of defense
Today, Global Encryption Day 2023, marks the perfect opportunity to reflect on what has been a highly challenging year for the technology.
Encryption acts as a fundamental safeguard of data privacy, securing data both during transmission and while at rest. It often serves as a primary defense against hackers and is indispensable in preventing unauthorized access to sensitive information. With the risk of reputational damage and massive fines for those who are breached, it is essential for any organizations looking to ensure regulatory compliance.
Yet, encryption has been under the microscope the past 12 months, with the UK government’s Online Safety Bill proposing to force messaging apps to monitor encrypted communications. This years’ Global Encryption Day serves a higher purpose than in previous years, seeking to encourage a worldwide effort to protect end-to-end encryption and defeat any proposals that try to undermine it.
Here are the thoughts from six cyber security experts on the importance of resisting governmental opposition to encryption, the emerging threats that reaffirm its need and why a strong encryption strategy is not as simple as it seems.
Governments must understand the importance of encryption
Paul Inglis, SVP, EMEA at Ping Identity, explains that "Global Encryption Day is a good moment to recognise how important it is to enable everyone to safely and securely access the connected world, and safety is of paramount importance, which is where encryption comes in."
"The recently passed Online Safety Bill aims to offer better protection for children online, and the news that the bill would not ban end-to-end encryption on messaging apps was particularly welcome. Messaging is integral to our online identity, and keeping this data private is becoming increasingly important. While the government waits for accredited safety technologies to be developed, we must protect children online right now without delay."
"With the current way the web works, it's far too easy to access age-restricted content. In fact, a recent Ofcom study found that about one-third of children ages 8-17 create fake profiles to register an adult account, and nearly half of children ages 8-15 have accounts claiming they are 16 or older. This deep-rooted challenge needs to be solved as quickly as possible to create a safer internet for everyone."
This sentiment is echoed by Jake Moore, Global Cybersecurity Advisor, ESET, who describes how "encryption is a necessary last line of defense for your data, particularly in a world where ransomware attacks are prevalent. Should the worst happen and hackers manage to get hold of your information, encryption ensures that it cannot be accessed or used against you. As a result, it is used everywhere – from financial transactions to messaging apps."
"Global Encryption Day is an opportunity to recognize the importance of this technology for the security and privacy of millions of people. As lawmakers, albeit with good intentions, attempt to regulate against it, recognizing and understanding the critical function it performs is vital."
The first defense against emerging threats
Generative AI has thrust its way into the mainstream over the past year and is predicted to revolutionize a plethora of industries. However, it is also set to change the security landscape significantly.
Sander Vinberg, Threat Research Evangelist, F5 explains that "we’ve already seen examples of where ChatGPT has been used by attackers or threat actors to write very basic but effective malicious software or malware. It’s a tool that massively lowers the bar for threat actors. What we see across the whole security landscape is a wide range of threat actors that are very good at writing social engineering emails, but perhaps don’t know how to write code, ransomware, or are simply not good at encryption. Those malicious actors now don’t necessarily need to go to a third party and employ a hacker -- they can create their own using ChatGPT. Similarly, attackers can use generative AI to refactor malicious code endlessly, producing novel scripts and malware that accomplish the same purpose as the original, but which will be unknown to many detection systems."
Tools like ChatGPT have implemented filters to try prevent this, but Vinberg warns that there are methods to bypass them. "Security researchers have demonstrated this many times, and we’ve already witnessed threat actors discussing ways to get around them, meaning effective encryption of sensitive data is more crucial than ever."
A strong strategy is vital for robust encryption
Encryption plays a crucial role in maintaining regulatory compliance and protecting data. However, implementing a strong strategy can prove a little bit more complicated than this.
Gareth Jehu, Chieft Technology Officer at Com Laude outlines that "with cyberattacks on the rise, it goes without saying that any web service that stores or processes confidential or sensitive data should employ encryption methods. The internet is a far safer space for customers and businesses today thanks to the over 175 million SSL certificates issued to website owners, with Google estimating that 95 percent of all its tracked web traffic is encrypted."
"However, owning an SSL certificate is not on its own a panacea for guaranteeing online security, and businesses should take a more proactive approach to keeping their domain assets secure. Certificate lifecycle management, correct configuration and continuous monitoring of usage, expiration and renewal are all essential to avoiding loss of customer trust, service interruptions or even data breaches."
Similarly, Adam Marrè, Chief Information Security Officer, Arctic Wolf warns that "Global Encryption Day must serve as a strong reminder for organizations and consumers to check they are protected as, unfortunately, many aren’t. It’s a common practice to neglect encrypting data from end-to-end, instead opting to only encrypt what they deem as the most important, or sensitive, information, simply because it’s easier to do so."
"In almost all cases the benefits of end-to-end encryption greatly outweigh the negatives. Implementing it will put criminals at a distinct disadvantage, likely pushing them to seek out alternative, less lucrative, places to steal data. I urge everyone, from government, to the private sector, to citizens, to familiarize yourself with the protections end-to-end encryption affords you."
Organizations also need to maintain visibility across their security infrastructure without compromising performance.
Paul Anderson, VP UK & Ireland, Fortinet explains that "to accomplish this, organizations need to assess the effect encryption has on security throughout. Isolated point solutions then need to be replaced with an integrated security solution that can automatically process large quantities of encrypted data. All without slowing productivity or hindering visibility, especially since the volume and percentage of encrypted data will only continue to grow."
"For encryption to work most effectively, organizations must take an integrated approach within their security strategy to make sure encryption is doing its job: providing critical security and data protection without decreasing the productivity of the security infrastructure. Encrypted data must be inspected -- but at the speed of the network, and without compromising digital business requirements. The use of automation and high-performance security resources tied together to extend protection from the network edge out to the cloud and deep across the distributed network will prevent negative consequences related to protecting data, while ensuring the positive experience that today’s digital consumers demand."
Encryption continues to be and will remain a vital component of an organization's primary cybersecurity strategy. Nevertheless, as it faces increasing scrutiny from government authorities, the security sector must take proactive steps to clarify the significant role it plays in safeguarding our data privacy.