By Aleksandar Velinov, University Goce Delcev, Štip, Macedonia.
Nowadays, organisations face many security challenges. Security is important for computer systems, computer networks, applications and data. Experience is showing us every day many cases in which the security of organisations is being violated: unauthorised intrusions into systems and networks, gaining important and sensitive information (user accounts, bank accounts) and unauthorised access to data. This has been particularly evident during the COVID-19 pandemic when most organisations enabled their employees to work from home. As we get used to the new reality and perform our daily tasks, we may have forgotten to pay enough attention to security, especially to data security.
According to a report by the National Cyber Security Center (NCSC), the number of attacks in Switzerland in April 2020 was three times higher than the standard norm (350 in April 2020 vs the norm 100-150 cyberattacks). It was the work from home that prompted the attackers to take advantage of the situation. According to another report, 47% of people working in the tech industry clicked on a phishing email when they were at work. This number would certainly be higher for workers who do not have sufficient technical knowledge.
Ransomware attacks, which seek a ransom after data acquisition, did cost businesses 75% more in 2020 than in the previous year. Insufficient attention to security can be expensive. Half a million people worldwide from February to May 2020 were affected by the theft of their personal data from video conferencing systems and their consequent sale in the dark web. These statistics are worrying. We need to think about improving security awareness. In this context, data encryption can “neutralise” the consequences of attacks. Yes, it is time. It is time to re-visit the notion of data encryption.
The basic principles of computer security are: confidentiality, integrity and availability (CIA Triad). One of the methods for preserving confidentiality is data encryption. This method enables the conversion of the original data into another form. Only users who have the right key can see the original data. This process is known as decryption. Our data should be visible only to those who have the appropriate rights. Working from home, sending data over the internet, motivates attackers to seek “unassigned” rights to other people’s data. If data transmission is done through insecure platforms, security vulnerabilities could be exploited by third parties who would gain access to them.
Have we ever wondered how safe it is to send data? Have we ever wondered if this is confidential data about the organisation we work for? Have we ever wondered how much the unauthorised access to data can cost our organisation? If the answers to these questions are not in the interest of the organisation, something must be changed. Why? Someone from the organisation allowed us to work from home. This is an assigned right but also an assigned responsibility. Responsibility for company data, responsibility for secure sharing and responsibility for maintaining confidentiality. Data encryption can be the key to maintaining our responsibility. Of course this can be time-consuming, but having all the time in the world at your disposal may not be enough to get you back on track if data is compromised. What if the data you submitted came into the hands of competing organisations? What if your reputation is damaged? What if you lose your clients’ trust?
But we need to protect not only the data that is sent (data in motion) but also the data that is stored on a computer (data at rest) and the data accessed by applications (data in use). Often the networks we use at home are insecure (weak Wi-Fi passwords, shared network resources, etc.). These can be used by attackers to gain access to “our” data “stored on our computer. But let’s not forget. We work from home. In addition to our personal data, we also have our organisation’s data. Now we are responsible for it. Computers at work may be protected. Special security protocols may apply. Surely we are wondering how protected are our home computers? Encryption can help us a lot. Let’s stay responsible. Especially now.
Organisations can create their own special security policies depending on size and needs. Larger companies typically have larger amounts of data to store and send. In terms of needs, organisations must prioritise which data or documents are sensitive and need to be encrypted and which data does not need to be encrypted. Of course, this requires a change of the company’s mentality, but this change will contribute to greater security. Employees must follow the security procedures. It may be difficult at first, but it should be understood that all this is for the good of the organisation.
The protection of data at rest can be done with: full disk or device encryption, file encryption, database encryption, Digital Rights Management (DRM), Mobile Device Management (MDM), Data Leak Prevention (DLP) and Cloud Access Security Brokers (CASB). Data in motion can be protected with: email encryption (end-to-end encryption based on Public Key Infrastructure – PKI), Managed File Transfer (MFT), DLP, CASB and DRM. Data in use can be protected by: Identity Management Tools (IMT), Conditional Access (CA) or Role Based Access Control (RBAC) and DRM. More about this can be seen here: https://www.sealpath.com/protecting-the-three-states-of-data
There are a number of tools that can be used for encryption. Some of them have support for full disk encryption, file encryption, enterprise all-in-one solution for data security and so on. Some of them are free, while others are not. A complete list of the best encryption tools can be found here: https://www.esecurityplanet.com/products/best-encryption-software
Other tools that can be used to improve data security, can be found at the following links:
- DRM tools: https://www.g2.com/categories/digital-rights-management-drm
- MDM tools: https://www.g2.com/categories/mobile-device-management-mdm
- DLP tools: https://www.g2.com/categories/data-loss-prevention-dlp
- CASB tools: https://www.g2.com/categories/cloud-access-security-broker-casb
- Email encryption tools: https://www.g2.com/categories/email-encryption
- MFT tools: https://www.g2.com/categories/managed-file-transfer-mft
- IMT tools: https://www.g2.com/categories/identity-and-access-management-iam
- RBAC tool: https://www.imperva.com/learn/data-security/role-based-access-control-rbac/
Which tools to use? It all depends on the needs of the organisation and its security policies. In addition encryption is also a basic method to help us protect our data.
Let’s get prepared, let’s think about:
- Encryption of the most sensitive organisational “data in motion” and use of secure platforms
- Encryption of the most sensitive “data at rest” and secure our computers
- Security of “data in use”
- Introduce appropriate safety protocols for work from home
- Coverage of licensing costs for antivirus programs by organisations
- Multi-factor authentication for organisational platforms
- Good protection of our home networks (strong Wi-Fi passwords, secure protocols)
What is particularly interesting in this Covid-19 pandemic days is the security of human data. How can we improve its safety? How we can preserve privacy? How can encryption help us? More about this in one of our next articles.
About the Author
Aleksandar Velinov is teaching / research assistant and PhD candidate at the Faculty of Computer Science, University Goce Delcev in Štip, Macedonia where he received his MSc degree in Computer Science in 2016. His fields of interest and research include computer and network security, security of IoT-communication, digital steganography, Internet of Things (IoT), Machine-to-Machine (M2M), big data, big data analysis, learning analytics, cloud computing and mobile technologies.
Also this year GÉANT joins the European Cyber Security Month, with the 'Cyber Hero @ Home' campaign. Read articles from cyber security experts within our community and download resources from our awareness package on https://dev.connect.geant.org/csm2021