Prime Factors Blog

5 Common Mistakes Made When Implementing Encryption (And How to Avoid Them)

Posted by Pete Flagella on Sep 8, 2016 10:00:00 AM

Find me on:

12111061_ml.jpgEncryption is a fickle friend to a lot of businesses. It certainly protects the company when performed correctly, but it also creates logistical IT challenges that even the highest level staff can feel ill-equipped to coordinate. Mistakes are common, and they're often made without anyone catching them. Considering that hackers only improve their technique day by day, it is simply not worth the risk leave anything to chance. We'll give you 5 common encryption implementation mistakes and how they can be avoided.

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption 

The Mistake: Creating Your Own Encryption

Computers, both hardware and software, are constantly being reinvented. Because of this, the value of technology is still difficult for us to assess. We know that the average consumer is willing to pay several hundred dollars on a smartphone, and companies spend millions on computer-based devices, but the value of code can often feel subjective. Between OSS and website platforms like WordPress, it's easy to believe that it's become relatively simple to generate and protect digital data — especially in light of the claims made by vendors of every size. However, the truth is that it's this attitude that has been the cause of so many hacks across a variety of industries. If you hire a developer who truly understands code, they will tell you to find a company that specializes in the actual encryption software. There is just too much happening in the world of security and encryption to have someone divide their attention among tasks or create code with only a small team to help. It's not impossible for you to find an employee who can find and implement a unique system for your company, but it would surely not be very cost-effective to do so. 

The Solution: Finding Software that Works

If you deal with any type of sensitive data, from health information to credit card numbers, you owe it to yourself and your customers to seek out encryption from a company who has stayed ahead of the many advancements in security and encryption. Prime Factors has direct experience with federal regulations of protecting data, from HITECH to PCI DSS. The goal is to keep up with changes to the regulations so that we can help our customers keep up with their encryption needs. We even do seemingly trivial things like identifying the customer’s ideal key length, giving them a strong defense and the best chance of keeping up with a quickly changing system, without over taxing their system (and business) resources.

The Mistake: Poor Key Management

There is no such thing as simple key management, because the very nature of the task makes it complicated. Once unauthorized parties get their hands on encryption keys, the story is over – the data is available to them. If a developer places keys in application source code or makes it possible to access from the main server, the entire system is at risk. There needs to be some distance between the key and the actual information itself. If keys are readily accessible to insiders in your organization, you are basically entrusting them with practically the entire future of the company (as most businesses will not recover from a significant breach.) Larger organizations see employees come and go and tend to lose track of who has control over what data, and smaller companies may not have developed clear policies and expectations. This type of confusion is just the opportunity attackers leverage.

The Solution: Keep It Simple

Effective key management solutions address challenges inside your organization by considering real-life situations like busy employees and highly motivated hackers who are trying to get into systems by any means. A strong and simple solution provides an interface and input methods that feel intuitive for your IT and managerial staff. There may still be some minor customization required inside your company, but the entire process of keeping key management and encryption running will be more effective and more efficient for the entire team.

The Mistake: Pushing Encryption to the Back Burner

Encryption is definitely not the most exciting topic for any company to consider, and too often people take the 'step back' approach with their security needs. They assume that everything is running smoothly, not realizing that they're leaving themselves open at practically every turn. IT staff is busy with tasks to improve availability and responsiveness, and to make it easier for people to buy or take action when using company applications or website. It’s difficult and almost unnatural for them to slow down and consider where and how to implement encryption.

The Solution: Auditing and Documenting

Though not terribly exciting, auditing and documenting IT operations could wind up ensuring the overall well-being of the entire company. With continued audits and clear written policies that are continuously updated, you stand a better chance at knowing when to take more action. Effective encryption solutions make reports and documentation easy to read and simple to follow for better compliance.

The Mistake: Staying in the Past

Outdated software is a common problem for those who use encryption because not all code is created equal. Depending on the cryptography used, it can be easy for coders to study the patterns and decrypt it all. Those who specialize in encryption can tell you there's a fine line to walk when it comes to creating a mathematical solution that works to make PHI or HIPAA data unreadable to hackers, but still readable to the company who employs the product. Older software was not necessarily made with this goal in mind, and the software has been around for long enough for hackers to have worked their way into it. In many cases human error is to blame, with people either forgetting or delaying system upgrades. Again, determined hackers will find bugs in every program; there are few that are immune. While your encryption may be airtight in one case, there may be ways for intruders to get to your data based on the other software and hardware on your network.

The Solution: Upgrading Your System

To a large extent, this is a problem that is will always need to be worked on, as time and innovation never stop. However, deploying encryption solutions developed by companies with both historical knowledge and dedicated resources can alleviate a large part of this burden for you. When you use software solutions that are designed to continually address advances in technology, you benefit from the design team’s expertise and their ability to make it easier for you to update or upgrade applications safely, whether you upgrade part of your system or build new systems from scratch.

The Mistake: Taking Shortcuts With Your Libraries 

When you use your existing software libraries to enable encryption, you may just be working with whatever defaults came installed on your OS. Making use of them seems simple and easy. After all, it's already built in, so it makes sense to use what you have. However, it's this type of thinking that has given attackers a quick way to start deciphering the intricacies of your deployment of these commonly used libraries, and it makes the older versions especially vulnerable to attack.

The Solution: Make Understanding a Priority 

Many of the problems that stem from using the wrong technology come from a lack of a foundation with technology and even seasoned IT professionals get caught up in their own worlds sometimes. It's nearly impossible for any one person to keep up with all the advancements in technology when it comes to carrying out the data compliance measures for federal regulations. Using an external encryption software provider not only means you will get the most advanced technology and approaches available, but also education and training that makes it possible to keep data protected.


To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption


Topics: Enterprise Data Protection, encryption