With the rise of BYOD (bring your own device) — and the variety of different devices and applications that now access business data — encryption is becoming increasingly important for businesses.
Despite its necessity, however, encryption is often overlooked or misunderstood. The primary reason for encrypting data is to ensure the confidentiality of the information. Encryption makes it more difficult for intercepted data to be read or altered. But it isn't foolproof, which the recently revealed Heartbleed bug shows.
Even so, all businesses — no matter what their size — require data encryption, experts say.
"No organization is exempt from attacks," said Eric Chiu, president and founder of HyTrust, a cloud infrastructure control company. "Small business may be even more vulnerable, as most small companies do not have the resources to invest in full-time data security personnel, and attackers know this."
Encryption is the easiest way to simplify the attack surface, effectively closing off any back doors thieves may find, and forcing them to come through the front door.
There are two basic types of encryption: symmetric and asymmetric, said Leonard Jacobs, president and CEO of Netsecuris, a Minneapolis-based company that provides security consulting and services.
"Symmetric encryption is also called private-key encryption because a key is shared between the person or organization that encrypts the data and the person or organization that decrypts the data," Jacobs said. "The same private key performs encryption and decryption. The difficulty arises in the key distribution process. If the private key gets into the wrong hands and that third person can obtain the encrypted data, then the data is no longer private."
Asymmetric encryption is also called public-key encryption because the person or organization that wants to encrypt data uses a public key that was shared by the receiver of the encrypted data, he added.
"The receiver has the private key that can decrypt the data encrypted by their public key, which was shared with the sender," Jacobs said. "This type of encryption solves the key distribution problem found with symmetric encryption: The public key of the receiver is freely published out on servers."
But what all security experts don't agree on is whether all data should be encrypted. For his part, Jacobs said not all data has to be encrypted, but rather just valuable data.
However, Matt Branton, founder of SenderDefender, an email and file security product, had a slightly different view. "There is computational cost involved in encrypting data, but for the most part, all data should be encrypted," he said. "The overhead is minimal compared with the security provided."
There are many tools that allow businesses to encrypt data. Some options include open-source or free data encryption tools, such as TrueCrypt, or file-zipping tools, which have encryption as an option, Jacobs said. "Many open-source tools do work very well and are free by the nature of open source," he said, adding that support for these tools often requires a fee.
Operating systems also include encryption tools, such as Bitlocker in Windows 7. HTTPS Everywhere is a commonly available extension for Google Chrome and Mozilla Firefox that tries to turn on Secure Sockets Layer (SSL) encryption on all visited sites, Branton added. SSL certificates are perhaps the most efficient and least-expensive encryption options available.
There is often confusion about popular Web-based email services and encryption. Bob Janacek, chief technology officer at email encryption service DataMotion, warned that while services like Gmail and Yahoo have increased security, secure does not necessarily mean encrypted. Instead, you'll need to use special encryption applications, such as DataMotion's own tool SecureMail. Most smartphones have built-in encryption software that's free to use, so businesses' BYOD policies should encourage the use of this feature.
[For a detailed breakdown of DataMotion's email encryption software and a side-by-side comparison of the best email encryption software, visit our sister site Top Ten Reviews.]
However, even though encryption is one of the most secure ways to share data, the discovery of the Heartbleed bug shows that there is no such thing as a 100 percent fail-proof security method.
"The gist of the Heartbleed vulnerability is that attackers can steal the encryption keys from Internet servers or desktop software using OpenSSL for encrypting network traffic, then use those keys to decrypt the data," said Lucas Zaichkowsky, enterprise defense architect with cybersecurity firm AccessData. "Even if software is patched to close this vulnerability, previously captured encrypted communications can be decrypted using the compromised keys."
Details on Heartbleed are just becoming available, but security experts have created a website with more information about the vulnerability at http://heartbleed.com/.
Overall, adding encryption is beneficial for businesses, security experts say. "Many businesses are liable in some way for customer data, or would be hurt greatly if they were the subject of a security breach," Branton said. "Encrypting data on devices that might be physically stolen is always a good idea, keeping important documents out of unencrypted cloud services or email providers can save you headaches later and using SSL everywhere will help you avoid snooping. It is generally worth the added complexity to keep yourself reasonably secure."
Originally published on Business News Daily.