Encryption at the heart of data security

Kevin Hall, National Sales Manager at Elingo, an established South African-based ICT services and solutions firm, uses a food analogy to explain. “Let’s liken the info to grain. As the population increases, the people need more food, which means silos need to store more grain to feed this population. However, due to the dependence on these grain storage silos, the world needs to create more security, to ensure food security is not affected. The same rules apply to data and any other commodity.”

Another reality of operating a business in today’s market is that, inevitably, a business will be impacted by what experts call ‘the nexus of digital force’, including the cloud, mobility as well as the Internet of Things.

Hall acknowledges that decision makers are more often than not inclined to immediately encrypt communication – but that is not always the best course of action, says Hall.

“Most IT professionals will say ‘when in doubt encrypt’. Although this is sound advice, one needs to look at the information before making a decision. Just ask a simple question – ‘what would happen if our competitors received this information?” he says.

“In some cases, marketing materials, company flyers, and different company-specific information would almost have no value to anybody outside your company. In this situation, evaluate the risk and then we suggest create different risk profiles based on the data.”

Mobile response

The response by companies to the widespread use of mobile devices (including personal) is generally considered to be an Achilles Heel within the IT security space.

Many businesses have struggled to cope with BYOD (Bring Your Own Device), much less the inter-linked BYOA (Bring Your Own App). The advent of mobile technology – from tablets to smartphones – in the workplace is also widely seen as a vulnerable point offering easy access within the corporate setup.

It requires a focused, disciplined approach that should also include encryption, says Hall. “Storage and backup solutions should be in place, and companies should not just have the IT systems in place, but also the policies and procedures to protect company and client information.

In some cases, encryption should be applied, one can also procure software that simply wipes the devices clean if they are stolen. If the staff member uses their laptop from a home office, then encryption would be logical to protect any company information which is being transmitted,” he says.

Mobile Device Management and overall strategy are certainly a consideration, but the decision-maker today also has to think about cloud and the security or integrity of files before the cloud resource is engaged.

Encryption should be done before files are uploaded, advises Hall. This is because most data theft will occur during the transmission of data over the web. “It’s much easier for the cybercriminal to intercept traversing data. The cloud provider will also need to have encryption security in place, and all the normal firewall and security systems to protect their clients. One would expect a cloud provider to already mitigate the risk for their clients,” he explains.

But what type of encryption?

It is good practice to bear the role of encryption in mind as a standard procedure, but it is just as important to consider the multiple levels, modes of travel, and types of applications for encryption.

Hall also says the SSL layer which secures the path of the data is just as important as the type of encryption.

“Having an HTTS site with quality standards applied will help ensure that the encryption meets the best practice standards. As most integration is currently done on a web services level the security of the websites needs to be paramount. The security certificates also need to be carefully managed, to make sure all the right data handshakes happen seamlessly.

The standard 256bit encryption should be used in most cases, however the 64bit and other 126bit options could also provide enough protection for some users,” he continues.

There are also different types of applications for encryption, based on the protocol and the underlying database which needs to be used.

“The suggestion would be to look at the quality of the internet and the speed required on the local network, before one decides on security measures. It would also be beneficial to look at the complete IT landscape, not just a portion of the data network,” Hall explains.

South Africa at a crossroads

As South African companies continue to deal with the implications of Popi (Protection of Personal Information) legislation, the country has emerged as a ‘hotspot’ for cybercrime – fuelled by an increase in the number of internet users and broader access to online resources.

“The very fact that mobile data is shooting into the stars is creating growth that will require planning and careful consideration,” says Hall.

Elingo’s view is that in the African context, users prefer mobile devices and other wireless modes of connectivity, and one would need to look at the users of these devices, and understand how security concerns can be dealt with on mobile devices, without affecting the usability and effectiveness of these applications.

“Business users will simply start turning off security features if they believe the devices are not performing. One needs to educate and explain the risks of data protection to these users, and suggest some alternatives if they are having bad user experience,” Hall concludes.