Essential encryption for your SMB?
A must consider checklist
The Small and Medium Business segment is huge and demonstrates a wide spectrum of both cybersecurity maturity and data governance approaches, under GDPR. The regulation, in effect since May 2018, makes it the legal responsibility of business owners /operators to secure customer and employee personal data. The requirement, with its suggestion to encrypt, anonymize or destroy data (after business use), along with an ever-growing number of data breaches, is driving small and medium businesses to implement data protection technologies.
To get up to speed on data protection take our compliance check:
Data breaches, and the ensuing reputational damages SMBs suffer as a result, pushed the sector to start adopting encryption even prior to GDPR. However, in the rush to secure business data, proper vetting of products and best practice in implementing solutions has often been lacking. With limited time for market research, and the reality of finding a market flooded by a vast selection of products, it remains challenging for owners and decision-makers to find the right fit for their needs.
Many companies have tried and failed to successfully deploy an encryption product. If you are facing this decision, either for the first time, or during a second round because of the failed adoption of an already-selected solution, read further to avoid pitfalls. Start by asking the following.
Which devices present a greater risk: On-site or off-site?
Let’s look at laptops since they can be considered the core physical infrastructure at most SMBs. The following might seem an obvious point but be aware that systems are more liable to theft when away from the office. Keeping this in mind is the right way to start researching and to settle on a solution. Be sure to test the solution’s effectiveness in managing problem scenarios for your remote users. If you are satisfied with its performance when leveraged by remote users, then you’ve at least created a shortlist.
Full remote control of off-site endpoint encryption: Does the encryption system suit the needs of your IT department?
Major endpoint encryption products offer the ability to remotely manage systems. But you need to look closely at the requirements. Most products need either an open incoming connection to a demilitarized zone (DMZ) on your server, or a VPN connection. All require a higher level of IT skills that can raise costs and, in order to function, may require the user to initiate a connection. None of the above is much use with a rogue employee or stolen laptop.
A well-designed product will give you the remote management necessary without creating additional security problems requiring specialist knowledge or adding expense to via increased admin skills.
Why is design important?
Design and function are interlinked. The ability to rapidly alter security policy, encryption keys, features and the operation of endpoint encryption remotely means that your default policy can be both strong and tight. Exceptions can be employed only when and where needed and rolled back just as easily. If you can’t do this you’ll be forced to leave ‘a key under the doormat’, just in case. This would be like tearing holes in your security policy before deployment is complete.
What about remote locking and wiping of keys from laptops?
This issue could become crucial if a company laptop with full-disk encryption gets stolen while in sleep mode or with the operating system booted up. It’s even worse if those systems come with the pre-boot password affixed on a label or tucked in the laptop bag. If a remote lock or wipe function isn’t available, then the system is either left unprotected or secured only by the OS password. In either case this leaves the encryption bypassed.
Also, it is important to know whether the solution has been designed to accommodate the typical use cases that would otherwise unravel a well-designed security policy.
Removable media, can the solution secure them without whitelisting every item?
The diversity of writeable devices in use for everyday work makes it almost impossible for admins to whitelist them all, or decide whether it’s permissible to read from, write to, or not access the device at all.
It is much easier to set a file-level policy – distinguishing between files that need encryption and those that don’t – and the selected files protected every time they move from a workstation or corporate network to any portable device.
So, if you connect a personal USB stick, the solution won’t force you to encrypt your private data. On the other hand, anything coming from the company system, will be encrypted without the keys being held on your device. It is a simple idea, but one which makes any device safe without the need for whitelisting.
Ultimately, it is flexibility and ease of use that insure successful deployment of this technology.
So, you need to define whether the solution you want to use is actually easy to deploy. If setup takes hours or days and needs additional tools for its operation, it will simply lead to headaches for system admins, creating new security risks. Target an easy-to-deploy solution that doesn’t require advanced IT expertise and preserves both finances and your human resources capacity. If a positive user experience follows that easy deployment, then IT staff won’t be further taxed by user lockouts, lost data and other frustrations.
Validated, commercial encryption products have been proven strong enough for some time. However, a significant number of the recorded data breaches involving lost or stolen laptops and USB drives occurred within organizations which had bought and deployed encryption products.
Notes archived from these incidents reveal that being able to fit the solution to your environment, working practices and ease of use for everyday users are the key challenges.
Want more content relevant to SMBs?