Increasing Risk by Using Encryption

Most companies are implementing (or already have) encryption of local data to prevent loss from a compromise of security.  There are two obvious concerns when thinking about using data encryption.

First, is it reducing your real risk?  Most encryption starts out as a defense against physical compromise.  For example, a hard drive walking out the door.  Well and good, but what is your risk of physical compromise?  Do you even know your ALE?  Because it’s become policy, most companies don’t even bother with the cost/benefit, but it’s always good to know the real value of an effort, if for no other reason, than to understand how reasonable the regulatory burden is.

The real problems start once encryption is in place and executives know the language, but don’t comprehend the true functionality.  In several situations, senior management has looked at a network security incident and expressed little concern thinking that encryption protected them from harm when encryption did no such thing, and the intruders would have been free to pilfer online data had they desired to do so.  Encryption methods vary, but be sure management is clear on what risks are or aren’t mitigated, to prevent a false sense of security.

The other added risk that typically goes unremarked is the risk of data loss.  Encryption is a harsh mathematical reality, and when it goes wrong, there’s typically nothing we can do except go to backups and restore the data.  In some instances, encryption can add mandatory operational steps that seriously complicate data integrity efforts, requiring extensive procedural compensation to reduce risk to acceptable levels.  This can add significant costs to an encryption program.  Worst of all, failure to identify these preventable loss risks up front may mean a serious data loss incident down the road.  Meticulous processing, planning, and testing is not usually within a business budget, yet is required when dealing with encryption.  Vendors will never bring up the difficulties of using their software, so using it safely requires thoroughly understanding how it works and how it fits into the business.

Encryption is a good tool, but it’s just one of many, and like any tool, can be a good thing or a bad thing.  It’s good when it saves the company from data loss, and it’s bad when you lose the password and can’t recover 3TB of image data.