Here's a sobering prediction: One-third of all adults in the United States will have their personal identity information compromised or lost this year by a company that electronically stores the data, according to figures supported by the Privacy Rights Clearinghouse. Whether or not that number is perfectly accurate, the list of publicly known data breaches is staggering nonetheless.
Who is to blame? Hackers and careless employees, to be sure. But increasingly, culpability also falls squarely on companies that fail to encrypt confidential data percent. Ultimately it is the company that must shoulder the burden of far-reaching consequences. Failing to protect confidential data is not only a threat to customers and damaging to corporate reputation -- in some cases it's illegal. Sixteen of the 20 existing U.S. state privacy laws require encryption to protect confidential consumer data, according to Warren Smith, vice president of marketing at GuardianEdge Technologies, whose products were recently purchased by the U.S. Department of Veterans Affairs.
Unfortunately, operating system and application vendors haven't made it easy or seamless to create a comprehensive encryption strategy. Existing laws and guidelines often conflict with one another or fail to provide prescriptive guidance. Nonetheless, all companies in the business of storing sensitive data should implement encryption policies anchored to a comprehensive encryption strategy.
"In order for encryption to be used consistently, it has to be implemented by default and be as transparent as possible," says Stephen Roll, product manager at Iron Mountain, a data protection company. "For example, when we back up data over the Internet, the encryption is done prior to the transmission. It's protected while being transmitted and is already encrypted with 128-bit AES before it hits the storage media."
No room for compromise
Any data that can be used to identify an individual, group, company, or entity should be protected against unauthorized access during creation, transmission, operations, and storage. Confidential information is especially at risk during transmission across untrusted networks, such as the Internet, and when stored on portable computing devices: laptops, data backups, USB flash memory drives, PDAs, and other small form-factor computer equipment.
A comprehensive encryption strategy must consider all the ways the data can be input and output, as well as how it's stored. Hackers increasingly favor client-side attacks. They'll get a trusted employee to unknowingly install a Trojan or key logger, which they then use to access the data. Certain malware can also gain access to data as it traverses the network. The data may be compromised while it is stored online or physically archived. An end-to-end strategy even must enforce protections for data sent to business partners and third parties.
Even a minimalist approach requires that the following areas be encrypted: wired and wireless network transmissions, hard drives, floppy disks, CD-ROMs, DVDs, backup media (tape, WORM drives, and so on), e-mail, IM, peer-to-peer technologies, PDAs, databases, USB keys, passwords, and active memory areas.
Building your strategy
Creating an encryption strategy requires significant review and effort. It's best to approach this as a major project, involving key members of operations, management, and IT. Start by bringing together key data stakeholders and explain the mission. As a group you must identify applicable regulations, laws, guidelines, and external influences that will have an impact on your purchasing and implementation decisions. From there, you can move on to identifying high-risk areas, such as laptops, wireless networks, and data backups.
Encryption is useless if an attacker can access confidential data directly and skip the burden of having to defeat any cryptography. So, a successful strategy defines strong access-control techniques, using adequate combinations of file permissions, passwords, and two-factor authentication. Access controls must be audited on a regular basis to ensure their validity.
Research various encryption solutions percent, read technical reviews, and contact the customers of vendors that interest you. Nothing beats a try-before-you-buy approach in this arena because what works well for one company doesn't necessarily work for another. Ultimately, you must select one or more encryption solutions that best fit your organization.
Prior to deployment, develop a written policy endorsed by management and communicate both policy and operational instructions to end-users, including business partners and third parties that handle sensitive data. If they can't meet your company's policies and demonstrate as much, they don't get your data. Encryption responsibility should be fixed and have consequences for noncompliance.
Consider implementing a tool to monitor and detect the leak or theft of confidential information. The policy should always include a statement indicating that any lost or stolen data should immediately be reported to the key stakeholders for evaluation. It should include specific steps to take when a data breach is detected. Exactly who should be contacted, how quickly? When will customers be notified, who decides, and how? Will customers be given free credit reports? All of these questions should be answered ahead of time.
Although only loosely related to encryption, a proactive data destruction policy should be enforced as well. Many of this year's embarrassing data-theft stories involved data that should have been destroyed long ago. If the data isn't needed, get rid of it -- and the risk that goes with it. A good policy indicates how long data should be kept, from the instant it is created or obtained, as well as how it should be secured and destroyed.