The pros and cons of encryption for everything
“Why should I obsess about security? Who would want to spy on me, after all?”
As an IT admin you’ve no doubt heard this a thousand times. So, next time someone says that to you, try this line of reasoning:
“You might be more important than you think, you know.
“Remember Six Degrees of Separation? You’re probably connected, perhaps by as few as one or two jumps, to all sorts of people who work for companies that are interesting to spies, thieves, and ne’er-do-wells.
“If you’re linked, even indirectly, to a government agency or to a company in the banking, defense, transportation, communications, or energy sectors, you could be a target, with attackers hoping to go through you to get to their real target.
“The odds that you’ll be targeted by online intruders jump every time you leave your home or office. When you connect to a strange network in an airport, hotel, or coffee shop, your laptop and smartphone are at risk. And then there’s physical theft, which gives a determined thief a chance to steal your secrets.”
The best protection is encryption. With sufficiently strong encryption, your network communications and your saved data are safe from prying eyes.
So why not encrypt everything? Because encryption has a cost, both in bandwidth and inconvenience.
Here’s how to calculate whether the trade-off is worth it for the different pieces of your company’s digital existence, and how to sell your strategy to those above you.
1/ The files on your PC or Mac
There are countless good reasons to encrypt your entire PC or a Mac, especially a portable device that could be lost or stolen. And there’s almost no sensible reason not to do so, because on modern PCs the process is quick and easy.
If a PC is running a business edition of Windows (Windows 7 Professional or Windows 8.1 Pro or Enterprise), use BitLocker full-disk encryption. On a Mac, turn on FileVault encryption. Then set up a strong password.
If the PC is part of an enterprise network then manage the encryption keys centrally, so your help desk can recover users’ drives if they forget their password. For unmanaged PCs, advise users to save their recovery key in a safe place.
2/ Removable storage
USB flash drives are small enough to slip in your pocket. They’re also small enough to slip out of your pocket, potentially exposing their contents to the finder. Encrypting removable storage is ridiculously easy.
With a PC running Windows 7 Professional or Windows 8.1 Pro, insert the drive, open Windows Explorer, right-click the drive icon, and turn on the BitLocker To Go option. On a Mac, the process is similar: right-click the drive icon in a Finder window and choose the Encrypt option.
If your user is smart enough to operate a flash drive they can manage this. Once you’ve shown them how to do it, of course.
3/ E-mail attachments
A simple rule here is “Don’t send sensitive files as email attachments”. They are too easily stolen in transit, and if an attacker compromise’s the recipient’s email account the attachments can be recovered long after they were sent.
Instead, instruct your users to store files in a secure, encrypted cloud location and send a link to the recipient. After the transfer is complete, the link can be removed to avoid having it reused later.
4/ Mobile devices
The average user’s smartphone contains a frightening amount of information about them, including access to email that a thief could use to reset passwords and wreak havoc.
That’s why, of all devices, smartphones (and tablets that act like oversized phones) should be the first to be encrypted, with a PIN or password required to unlock it. Users should be made aware of how to set the security on their phones. On an Android device, encryption options are under the Security heading in Settings. On iOS devices, hardware encryption is on by default. After setting a passcode, they can and should turn on an additional layer of data protection by enabling the Erase Data option, which will wipe all data after 10 incorrect attempts to unlock the phone.
For Windows Phone devices, data encryption is provisioned with Exchange policies. If you connect a Windows Phone to an Office 365 business or enterprise account, the encryption policies are enabled automatically.
Messages stored on your email server should be encrypted, of course, and users should never connect to email over anything but a secure channel. With modern, cloud-based systems, including Office 365 and Google Apps, these precautions are automatic. If you still use a private mail server running old protocols like POP3, you might need to enable secure ports manually.
But encrypting the contents of routine messages? This is where things get tricky. Although encrypted email is technically possible, it requires significant effort on both sides, including managing digital certificates and using specialized software. If you’ve ever received an encrypted email without possessing the sender’s public key, you know what I mean.
If you’re an actual spy, or if you’re working on a highly sensitive project where disclosing the details could be catastrophic, then set up a secure channel for those communications. For the rest of us, encrypted email is more of a hassle than a help.