top reasons encryption is not used

Top Reasons Encryption Is Not Used

There is many reasons to password-protect – or encrypt – one’s digital data and keep private life as private. Foremost among them is to protect it during a security breach. This article list down top reasons encryption is not used by individuals as well organisations.

Top Reason why we encrypt

Here is what Bruce Schneier says about why we should encrypt, Schneier is the creator of many cryptographic algorithms includes Blowfish and Twofish.

 “Encryption protects our data. It protects our data when it’s sitting on our computers and in data centers, and it protects it when it’s being transmitted around the Internet. It protects our conversations, whether video, voice, or text. It protects our privacy. It protects our anonymity. And sometimes, it protects our lives.

This protection is important for everyone. It’s easy to see how encryption protects journalists, human rights defenders, and political activists in authoritarian countries. But encryption protects the rest of us as well. It protects our data from criminals. It protects it from competitors, neighbors, and family members. It protects it from malicious attackers, and it protects it from accidents.”

Top Reasons Encryption Is Not Used by Individuals

There are many reasons not to encrypt, too. Here are top reasons encryption is not used by individuals,

  • A faulty storage device with encrypted data may render that data irretrievable, whereas non-encrypted there are easy to use tools that can potentially recover the information.
  • It takes time to set up on a device.
  • It is often not possible to remove encryption.
  • Wrong Assumption that Anti-virus tool will protect the data as well
  • It can make it more difficult for others to assist you with your device.
  • It can make transferring information to new hardware more difficult.
  • For some devices, requires a secondary login process like two-factor authentication.
  • It adds another layer of complexity when making changes to the device.
  • Simply don’t want to pay for encryption software unless they absolutely are required protect sensitive data.

At the end of the day – the importance of encrypting a device should be seen in the same light as having a door to your home that only allows someone with the key to go through, but the door can never be unlocked. That sounds great, especially if you have some really valuable stuff inside, encryption makes sure to keep your private life, private.

An encrypted device is far more secure than an unencrypted one. That means your data is going to be safe, should you lose your device.

Top Reasons Encryption Is Not Used in SMBs

The recent data breach of 9 million patient records in a healthcare organizations raises an important question “What are the barriers that stop healthcare organizations from encrypting their devices?”  One of the resulting stories, by Marianne McGee, has been posted at HealthCareInfosecurity.  Here are the top common reasons why encryption is not implemented.

Lack of executive support

This has been a problem since SMBs and organizations started using encryption. Decision-makers and executives withhold their support for encryption for a wide range of reasons.

  • A large portion of executives don’t want their data encrypted because they view encryption as being too complicated to use.
  • Many think encryption will slow them, and/or their systems, down too much. Some think encryption now is as kludgy as it was 5, 10, 15 or even twenty years ago, when they first encountered using encryption and had very bad experiences. Those bad times with security technologies stick with them much longer than the good times.
  • Many executives think they already have the encryption they need if they are using SSL on their web sites. They simply don’t understand that such encryption does not keep the data encrypted after it goes into the vast number of storage locations.
  • And many execs simply don’t want to pay for encryption unless they absolutely are required to implement it.

Lack of resources/funding

Encryption costs money. Not nearly as much as it did even just a few years ago, but generally, there will be a cost associated with implementing encryption everywhere you truly need it. SMBs and Organizations need to address this by figuring out why the funding isn’t there. Here are some common reasons:

  • The last bullet from section 1 above is one of the primary reasons why there is no funding. The execs and directors simply don’t understand the importance, and so they put the kibosh on any funds.
  • I’ve also seen budget proposals that simply did not include encryption as an oversight. It really is amazing how often it gets forgotten, while trying to include firewalls, DLP, anti-malware, etc. Encryption gets the short end of the stick almost as often (well, closer to than the others mentioned) training and awareness.
  • I’ve seen many companies that originally had budgeted for encryption, but then many times that funding gets usurped by some other new project that is sexier and more glitzy. Yes, encryption is far too often the jilted technology spouse, left for a more exciting new technology, often not even related to security protection. Oh, Big Data Analytics, you are an extremely tempting option for many!

 Increasing technology complexity, BYOD and mobility

Think about all the complexity that exists within most SMBs and organizations. Web servers, file servers, desktop computers, smartphones and a wide range of other mobile computing devices, mobile storage devices, employee-owned devices used for business activities, stationary data storage, cloud services providing a wide range of services, and the list could go on.

Where is all the data? Where are all the risks to data?  This complexity often results in a hit-or-miss implementation of encryption.  There are often problems with compatibility of encryption solutions with all these diverse computing devices. Sometimes there is no encryption solution for certain types of devices.

 It is not surprising that all the sensitive data is not encrypted everywhere there are risks. However, that is not a good excuse for not being more proactive in identifying and managing risks.

Final Thoughts

Encryption is an effective tool that individuals as well all types of organizations, of all sizes in all industries, can use to help protect sensitive information such as PHI and all other types of personal information.

To determine where to use it, first identify where your sensitive data is collected, stored and processed, and then identify the risks through the entire lifecycle of the sensitive data.

Implement encryption, in transit and in storage, in all the locations where there are sufficient levels of risk and legal compliance requirements to do so, to justify encryption to your business leaders and decision makers.

You may also interested to know about common usage of encryption.

 

THE KRUPTOS SECURITY BLOG

About the Author: Thiru

Security Specialist

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *