Prime Factors Blog

Effective Data Security Solutions Balance Security Needs While Optimizing User Experience

Posted by Pete Flagella on Apr 20, 2017 10:00:00 AM

Find me on:

Blog-04202017-PracticalEncryption.png

When it comes to deciding how, when, and what to secure and encrypt, companies face a variety of difficult choices – and one of them is whether to prioritize system security or to emphasize ease of use for employees. In many cases, making the right trade-offs between security and usability can be tough; some systems and protocols are highly usable, but not very safe, while others are highly safe, but very difficult to use. Organizations need to find solutions that consistently strike an effective balance between the two.

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption 

Three Goals of Encryption Management: Confidentiality, Integrity, and Availability

Before discussing specific encryption strategies for different business needs, it helps to take a step back and ask ourselves why we want to encrypt data in the first place, and what we want to do with our data once it’s encrypted. The answer to these questions can be defined by looking at three elements of data security: confidentiality, integrity, and availability, and analyzing each in the context of your business’s specific needs.

These three factors, known as the CIA triad, can help organizations define their information security strategies as well as identify any potential risks and vulnerabilities that their data may face both now and in the future.

Confidentiality means being able to restrict access to your data to only a certain number of trusted individuals. Many enterprises organize data into different branches and levels based on the amount of harm the data could do if it were to get into the wrong hands. Organizations may train one or more individuals in cybersecurity confidentiality practices, helping them to more accurately assess the risks of various situations and share best practices with other employees. 

Integrity means being able to maintain the accuracy and organization of data throughout the life of its existence. When attempting to main the integrity of data, organizations must ask themselves a variety of questions, including:

  •  Can unauthorized individuals potentially access and alter this data?
  •  Can authorized users accidentally delete important data permanently?
  •  What happens to data as the result of a blackout-induced power loss?
  •  What about in the case of a server crash?

Asking and effectively answering these questions and others like them is very important if you want maintain the continuity and integrity of your systems through the variety of challenges that commonly affect businesses.

Availability means that data is efficiently accessible through creating a software operating environment free of conflicts and ensuring that all hardware is continuously updated and monitored for potential issues. Ensuring sufficient bandwidth, preventing data bottlenecks, and instituting redundancy and failover in case of hardware issues are all elements of ensuring adequate data availability. In the case of encryption, availability relies on the right users being able to easily access and view encrypted data.

Additionally, information availability must be guaranteed in the case of physical disasters, such as a hurricane, fire, or flood – which usually means having physical or digital backups in multiple secure locations. Other precautions must also be taken against viruses and denial of service (DoS) attacks, so they don’t affect an organization’s website.

Effective Encryption Solutions Must Take the Cloud into Account

In today’s world, many companies have ditched much of their physical IT architecture and systems for a mostly virtual cloud-based enterprise system. Like other systems, cloud-based business software solutions must also balance the needs of an organization’s security with ease of use for its members. There are a variety of policies that can be adopted to help in this effort, including implementing smart password creation and management strategies, and training employees to detect and deflect malware, phishing scam attempts, and other potential criminal infiltrations.

While smart password management solutions can help increase security, there’s only so much they can do, especially if users employ multiple sign-ons to different cloud-based software accounts for functions such as email, CRM systems, and other programs. The more passwords a person uses, the more likely that a password can get lost or stolen. To prevent this, many companies are turning to group sign-ins and cloud-based identity management tools. These systems allow users to employ one password to access multiple accounts at once, helping keep passwords secure and saving valuable time for employees and other stakeholders.

Laptops, Home Desktops, and Smartphones: BYOD Vs. Company Devices

When it comes to employees conducting company business in or outside of work on devices like smartphones and laptops, businesses have multiple options – each with significant benefits and drawbacks. In many companies, a natural conflict erupts between a company’s CSO or CIO and their CFO or CEO over whether to institute a bring your own device (BYOD) policy or to issue highly-controlled devices that can be encrypted, secured, and monitored at the company’s discretion.

Often, CFOs and CEOs prefer a BYOD policy, citing higher employee satisfaction, increased flexibility and customization, and serious savings, while CIOs like company issued devices, citing the reduced risks of hacking or data theft by a disgruntled employee. CIOs may sometimes suggest that the company simply create a policy stating that certain types of company business shouldn’t be conducted on a non-company computer or personal mobile device. While hard to practically enforce, this may be able to cut down on the amount of data available for hackers, especially if your company doesn’t want to distribute devices to employees.

However, when enterprise-level organizations distribute secure, encrypted hardware, such as laptops or smartphones, it can allow employees to work securely in a variety of situations. Any existing devices that are used for this purpose should also be secured, as those that are designed for travel and often connect to public networks are especially at risk for viruses, spyware, malware, and other threats.

Organizations can use a VPN Service to Browse the Internet and Access Cloud-Based Services Securely

Using a virtual private network (VPN) can easily help cut down on the information security risks that companies of all sizes face on a daily basis. This is especially important for internet use in retail locations offering free Wi-Fi, such restaurants, bookstores, and department stores. A high-quality VPN may also protect against distributed denial of service (DDoS) attacks, in which criminals overload a website’s server with so many requests that ordinary customers are unable to access it.

Financial Services Firms Face Special Cybersecurity Risks And Need To Take Specific Precautions

The financial services industry is especially vulnerable to cybercrimes, and needs to be especially careful about encrypting and protecting their data. For the most sensitive data, organizations often encrypt data in a process known as tokenization, in which a software program uses randomly generated codebooks to encode data, and is resistant to cryptanalysis. For other, less sensitive data that needs to be sorted and searched, financial firms often use search-preserving encryption so that they can more easily sift through data while still ensuring a certain degree of information security. For even less sensitive information, such as customer email addresses, organizations often use format-preserving encryption, which allows them to store and employ email addresses more efficiently.

The financial services industry is also changing the way it identifies customers – many organizations are shifting away from using social security numbers to identify and categorize individuals, and are turning to more secure and efficient methods. In addition, financial institutions may be facing new challenges as it’s reported some criminals are beginning to routinely overcome the two-factor authentication methods commonly used to secure accounts at most major U.S. banks. This means that all financial institutions need to regularly update their software and strategies in order to prevent increasingly powerful attacks.

The Best Encryption Is Only as Good as Your Ability To Institute it, and The Key Management Process

Encryption is perhaps the most effective data security measure available. Even if a firewall is breached or an insider steals sensitive data, properly encrypted information is rendered useless to criminals. But it can be difficult to institute across an enterprise without a user-friendly, full service solution, and safe and effective key management is essential to effective encryption. Without it, organizations are leaving their data vulnerable to a variety of digital threats.

To learn more about how to protect yourself and your business using encryption, and how to properly manage keys, contact Prime Factors today at 888-963-6358 or through our contact form for a free consultation.
 

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption.  

Topics: encryption, PCI Data Encryption, encryption keys