Is encryption too hard for SMEs? "Yes and no," says Sophos director of product marketing Anthony Merry.
Easy-to-use full disk encryption is a standard feature of Windows and macOS, and can be managed centrally or individually. And Android and iOS devices use encryption by default, he says.
Without full disk encryption, a miscreant can remove the drive and connect it to another computer to read the data. If the disk is encrypted, the data on the drive is meaningless without the key.
Sharing encrypted files between one user's devices or among users within an organisation can be done seamlessly, he says, but it tends to be harder when sharing beyond that boundary – not surprisingly, because the whole point of file encryption is to make files hard to read.
A common situation is where someone accidentally emails a sensitive file to the wrong person. Perhaps the actual addressee has the same first name as the intended recipient, auto-complete kicked in and the user was sufficiently distracted to press Send without noticing the address was incorrect.
"Even the most security conscious of us will have a moment of weakness," says Merry.
Unintended disclosure accounts for around 27% of data breaches. So a significant reduction can be achieved by using file encryption, providing people don't get into the habit of sending the password along with the document.
Sophos's SafeGuard Encryption product includes a capability the company calls synchronised encryption, he says. All files are automatically encrypted, and then when they are opened by applications that have been explicitly marked as 'trusted' they are automatically decrypted.
This prevents them being accessed by malware, and – when used in conjunction with Sophos endpoint security – as an added precaution, the local copy of the decryption key is destroyed as soon as malware is detected. Once the system has been cleaned, the key is downloaded again.
So if an employee installs a torrent client, that application won't be trusted and therefore cannot send decrypted data.
An interesting point is that backup programs do not need to be trusted, as data can be backed up and restored without being decrypted.
Part of Sophos's approach for handling situations where files must be shared outside the organisation is to provide an Outlook plug-in that warns a user if they are about to send an encrypted file to an outsider. This helps avoid the "wrong addressee" problem described above, but if the user proceeds they are given the opportunity to send the file in encrypted or decrypted form.
Encrypted documents are sent as self-decrypting HTML files. The data is decrypted and then re-encrypted using a password that can be sent separately to the recipient (the software checks that it isn't sent in the same email as the file). The recipient opens the file in a Web browser, enters the password when prompted, and the document is displayed.
When unencrypted files are sent, the system logs what was sent, to where, and by whom.
Some 60% of cases are down to hacking or malware, which can be addressed by measures such as deploying firewalls and good endpoint security software. Full disk encryption isn't much help, because the attacker is already inside the system, but file encryption helps protect files at rest – even if they are exfiltrated, they are of no use unless the decryption key (password) is also obtained.
The remainder are mostly due to devices being lost or stolen, but full disk encryption and device encryption take care of that, providing sufficiently strong passwords/passcodes are used.
So Merry's advice to SMEs includes:
- Activate features such as BitLocker and FileVault, as this provides baseline protection.
- Install good security software and a firewall (most SMEs already understand this).
- Reduce the impact of human error through education and by encrypting files that may be of interest to the dishonest (which means any information about employees and customers, as well as any other business data that you want to keep private).
"Treat the data you have [about customers and employees] as if it were your own," he suggests.
If you're not sure what to do, your trusted advisor (perhaps a managed service provider, or maybe a suitably knowledgable family member) should be able to assist. Relevant business and professional bodies may also be able to provide advice.
"Always start with the easy and simple use cases," he advises, otherwise there is a risk of becoming discouraged by the hard situations and so failing to take any action. "Keep solving those [more difficult] use cases one by one."