Cyber crime has shown explosive growth over the past few years, and shows little sign of abating. At the same time, the way we use technology – and the way we work – is evolving at an equally breakneck speed. Balancing the needs of enhanced security without compromising versatility and flexibility is a major challenge facing IT professionals.
In the past, IT security meant securing against external threats through physical security measures, hardware and software such as firewalls. Those techniques are all still vitally important, however the situation is a lot more complicated now thanks to the rise of the mobile worker and the need to secure data on mobile devices that are routinely carried into the wild, beyond the boundaries of the building and the safety of the corporate firewall.
BlackBerry provided one of the early answers. Its enterprise server architecture, encrypted messaging and handheld devices with built-in security features were a winning combination for its day, allowing IT departments to expand communications beyond the corporate firewall with reasonable safety. The exponential growth of Android and iOS platforms and the desire for people to be able to utilise their own devices for work means that a single platform solution is no longer practical. Yet interestingly, the answer to securing this new, nebulous network remains the same – encryption. But, encryption done right.
Carried out properly and thoroughly, encryption is perhaps our most powerful weapon in the battle against cyber criminals and data losses, both intentional and inadvertent. Properly encrypted data is virtually impossible to decipher, creating a very effective barrier to it falling into the wrong hands, either while it’s in transit, or at rest on file servers and personal devices.
There are numerous ways in which cyber criminals can intercept data on the move. Network security can be hacked or compromised by malware introduced to the network through social engineering attacks or an unintentional breach of security protocols. Moreover, thanks to the growing use of personal devices for work as well as play, there are plenty of other threats too. The proliferation of WiFi hotspots has made people blasé about connecting their mobile devices to ad-hoc networks. Often these are not always as they seem. A cybercrook sitting in a busy city café can easily snare the unsuspecting by creating a fake hotspot. When customers connect, the criminal will be able to eavesdrop on every email, every file exchanged, every chat message and website visited. There is nothing to stop a criminal setting up a fake hotspot from under window of your meeting room to catch your unsuspecting visitors as they try to access the guest WiFi service.
Valuable data resides in emails and databases, and also in unstructured form such as documents, spreadsheets, pictures and multimedia content. This kind of data is spread throughout the organisation and frequently copied onto multiple devices, making securing it by physical or password-protected means virtually impossible.
And crucially, one of the biggest threats to IT security comes not from outside, but from within the organisation itself. Some sources attribute data losses through the actions of disgruntled employees, those seeking financial gain by selling private information or even determined industrial espionage, at as much as 43% of all incidents. Inadvertent data losses can be just as catastrophic. According to Intel Security, 21% of serious corporate data losses occur as a result of the loss or theft of a mobile device. The growth of the mobile workforce means this too is a rapidly escalating problem area.
Encryption provides an effective answer to all these different threats, but only if it is carried out effectively and systematically to create a secure “eco-system” based on trust, rather than device identity, which can be faked or compromised by theft, or challenge-response barriers such as usernames and passwords which can be defeated by brute force attacks.
Effective encryption has a number of key features. It must be an end-to-end encryption system to ensure data stays protected at each stage of its journey from sender to receiver, including any storage along the way. Many so-called secure messaging systems – including the old faithful BlackBerry Messenger - only encrypt between the user and the server facilitating the exchange. In more technical terms, the encryption keys used to encode the data are known to a third-party in the transaction other than the sender and recipient, thereby creating a vulnerability.
In end-to-end encryption, the keys are known only to sender and receiver. A third party intercepting the data, or even physically stealing the server used to route it, will not be able to decode it. To guarantee safety, the strongest levels of encryption must be employed. Both symmetric and asymmetric encryption algorithms are applied in communication services to protect data. AES is a proven symmetric encryption technology, and AES-256 is its strongest version, using a 256 bit encryption key. AES stands for Advanced Encryption Solution, and is the method adopted by the US government to secure its top secret material. RSA-3072 is a widely used variant of the RSA family of asymmetric encryption techniques, considered robust enough for most strong encryption applications. End-to-end encryption can employ both symmetric and asymmetric encryption in a number of different ways. However it is the way that keys are managed that is the most critical factor in effective software design.
The best security system in the world is of no use if nobody wants to use it. An effective encryption solution must be easy to use and not get in the way of communications, so users aren’t tempted to override it. These days, it must also be device and platform agnostic, working just as effectively on every device whether its on the desktop or in the pocket.
Text is only one aspect of modern communications, which these days is just as likely to include images, video and voice communications – all of which are vulnerable and therefore must be protected. In the age of the mobile workforce, this will often include group messaging and multi-participant conferences.
By Catherine Long, PR Manager, VIPole International LP.