The Role of Encryption
Encryption is one of the primary tools available to keep an organization’s data and communications confidential. It plays a significant role both inside and outside the firewall perimeter. Inside, it keeps employees, contractors, and vendors from accessing information they shouldn’t. Outside, it keeps competitors and other bad actors from eavesdropping on communications and allows data to be stored with third parties (backup, cloud, etc.) without concern about privacy.
When evaluating the use of encryption to reduce cyber risk, the organization needs to compare two figures: the cost of encryption and the organization’s potential financial losses if confidentiality is breached. When potential losses exceed the cost of implementing encryption, the decision to adopt encryption is a no-brainer.
Bringing Business Owners Up to Speed on Encryption
As an IT professional, your job is to provide answers to the basic technical decisions that accompany the deployment of encryption. The answers to these questions are largely dictated by the specific systems an organization uses and the data formats used within those systems. Because encryption is only as good as its implementation, it is critical that professionals play a central role in answering questions like:
- What data should be encrypted?
- What encryption method should be used?
- How will keys be managed?
You will also need to be prepared to answer additional questions, to help business owners understand the time involved and the factors that drive the cost of encryption. These include:
- Does encryption/decryption time impede a business function, or recovery time?
- What is the hassle-factor? Will extra training be needed?
- What happens when keys are lost?
Taken together, all of these issues add up to the overall cost of implementing encryption, but the real key to getting executive buy-in is showing the potential for loss. One common method for determining the loss potential is to count the number of records being protected by the encryption, then multiply that by some predicted loss per record. Two of the most highly cited sources for such loss estimates are studies by Verizon and Ponemon. However, confidentiality loss cannot always be expressed as a record count.
Using a Risk Assessment to Make the Case for Encryption
A better method is to use a strategic cybersecurity risk assessment. These assessments evaluate a company’s total intangible assets against the probability of loss across multiple threats. The Threat Sketch Risk Assessment takes a holistic approach to predicting losses. This approach captures damage that a simple record count method cannot capture, such as the cost of downtime and impact to brand equity.
Encryption is the key (pun intended) to protecting confidential assets. Through a strategic cybersecurity risk assessment, such as the Threat Sketch Risk Assessment you can build the case for encryption by determining the potential losses. This gives decision makers a monetary point of reference for making an investment as well as establishing values for cybersecurity protection plans, helping win support from executives and business owners.
About the author: Rob Arnold, founder and CEO of Threat Sketch, has worked in internet security for over 20 years, including launching his own consulting firm to provide executive IT and security consulting to small, medium and Fortune 100 companies.