ENCRYPTING EVERYTHING that passes through the firewall seems like a no brainer these days given the cyberthreat landscape. So why doesn’t everyone do it, especially with increasing compliance demands that impact businesses of all sizes?
“I see this under-implementation quite a bit,” says Kevin Beaver, an independent security consultant at Principle Logic.
Small business owners may believe everything’s OK and they’re not a target. Doing very little in security is the path of least resistance.
“Across the board, not encrypting anything is the most common thing ever,” says Maria Scarmardo, founder and CEO of Praxis Data Security, a risk management and data compliance service provider in Dallas.
Businesses may also be confused about what data they should encrypt, which files are already encrypted by certain software, and whether every remote user needs a VPN.
In addition, a common perception about encrypting data at rest or in motion is that it negatively impacts performance when transferring files across the internet or reading local files. That argument, however, is “not as strong as it used to be,” says Beaver. Modern workstations, servers, and network hardware maintain performance in all but the most intense interactions.
Even so, the value of data safety versus performance tilts strongly in favor of encryption.
Some data clearly calls for protection, says Beaver. “If you’ve identified a risk, then it needs to be addressed either via encryption or some other compensating control.” If a performance degradation does occur, there are likely alternatives to try. “Cutting corners, especially where opportunity lies for loss is not a great approach.” This goes beyond encrypting customer information and includes intellectual property and other information assets, he adds.
Knowing what data needs to be protected is key. “You don’t have to encrypt everything,” Scarmardo says, “but you need to know what data to encrypt.” Business owners, she notes, have a gut feel about what’s important. Are they in litigation? That data must be protected. If they accept credit cards, their PCI software is required to have a level of encryption. Intellectual property and financial records are two other easy choices.
“We try to help companies develop a security framework they can follow, including where to place encryption and how to do it,” she explains.
Companies that decide to encrypt data traffic will find lots of tools and friendly options in the channel, says Scarmardo. “SMBs may not realize they have some of these tools already.” For instance, remote users early in the lockdown got mad at their VPN tools, she says, but after a time the VPN became normalized as they logged in to different systems. “As these tools became standard business practices, the learning curve improved, and the inefficiency argument went away.”
In addition, she says, “Microsoft includes encryption capabilities for SharePoint with basic licenses, with more available with higher-level licenses.” Many vendors follow that model.
For small businesses that resist encryption, Scarmardo says the tipping point will likely be a big customer that requires it of their contractors. Consider a T-shirt printing company that may have minimal data protection and encryption in place but wants to get a contract from a major sports team. “The team will be sending you logos, images, and other intellectual property, and demand you stay up to date [and] follow their vendor management rules and their list of best practices for security, encryption, and more,” she says.
“Vendor management rolls downhill,” she laughs, “and businesses with no encryption at all find it affects their contracts and their wallets.”
The good news for channel pros offering encryption solutions and advice? “There is unlimited growth potential as it relates to security,” Beaver says.
Image: iStock / jadamprostore