SoftwareOne logo

6.6 min to readDigital Workplace

Why encryption matters to your security and privacy

Ravi Bindra
Ravi BindraCISO
A woman's finger is pointing at a colorful screen.

The word "encryption" continues to show up in news headlines as both a protective measure and attack tactic. Due to an increase in ransomware attacks, laypeople usually connect "encryption" with locking data away from those who need it. However, the inverse is true: Encryption is more often used to protect data by making the information unusable to threat actors.x

Ready to learn why encryption matters to the security and privacy of your organization? Keep reading.

What is encryption and how does it work?

The first step to understanding why organizations need to use encryption is to understand what it is and how it works. So, what is encryption?

Data encryption or cryptography is a security control that uses mathematical algorithms to scramble plaintext data and make it unreadable unless the user also has the necessary decryption technology and keys. Three primary types of encryption exist:

  • Symmetric key encryption
  • Asymmetric key encryption
  • Hash functions

Although multiple encryption standards exist, the Advanced Encryption Standard (AES) is the one used by government and commercial organizations to protect sensitive data.

Now, how does encryption work? Understanding the framework behind different types of encryption provides better insight into how an organization can protect data. Let’s take a look:

Symmetric-key encryption

With symmetric-key encryption, one key - called the secret key - both encrypts and decrypts the electronic data. The key scrambles the data either at rest or in-transit until the recipient uses the algorithm to revert the data back to its plaintext format.

Two types of symmetric key encryption exist:

  • Block algorithms: Fixed-length “blocks” of data get encrypted until the person with the decryption key unscrambles the data again. Data remains in the system’s memory during this process. The AES standard uses symmetric block key encryption.
  • Stream algorithms: Each data byte is encrypted one at a time with a one-time pad (OTP) of random digits. They are faster than block algorithms but are vulnerable to substitution attacks, where the attacker knows how to modify parts of the message without having the key.
How Symmetric Encryption works, source: SoftwareOne

Asymmetric key encryption

Asymmetric key encryption uses two keys, a public one and a private one. The public key does the encryption while the private key decrypts the data. Both secure sockets layer (SSL) and Transport Layer Security (TLS) use asymmetric encryption to protect information transferred across an internet connection securely.

While asymmetric key encryption can be more secure because it uses longer keys than symmetric encryption, it also comes with security vulnerabilities. Organizations need to put a full public key infrastructure (PKI) in place, and many organizations struggle to keep track of their certificates and keys.

Hash functions

Hash functions work by mapping input plaintext data and turning it into a fixed-length encrypted output. The data and the associated hash function are mapped to one another in a fixed-size hash table. Since the fixed-length output is often smaller than the input, the output is called a hash digest, hash value, or hash code.

Secure hash functions (SHA) are often combined with other types of cryptography, like symmetric key encryption. While SHA is generally secure, threat actors can engage in hash function attacks if the organization uses SHA-1 to try to create a “collision,” where two input data points end up in the same hash digest.

3 Reasons why encryption matters

Using encryption can reduce the impact of a data security incident in several different ways. Let’s take a closer look at three reasons why encryption matters to any given organization.

Enhanced Data Security

When using encryption, organizations are able to make data at-rest and in-transit unusable, even if threat actors successfully deploy an attack. As long as the threat actors do not have the decryption key, the data becomes meaningless to them.

Compliance

Nearly every cyber security and privacy compliance mandate incorporates encryption as a control. Some examples of compliance requirements that include encryption are:

  • Payment Card Industry Data Security Standard (PCI DSS)
  • Federal Information Processing Standards (FIPS)
  • Cyber security Maturity Model Certification (CMMC)
  • General Data Protection Regulation (GDPR)

Better Password Protection

Many organizations store login and password information as structured data in databases, so most password managers use end-to-end encryption to protect passwords. By encrypting login data, organizations mitigate the risk that threat actors will be able to intercept unsecured password data. Otherwise, this could lead to widespread, multi-device attacks across your network.

The importance of encryption for privacy

Encryption enhances an organization’s privacy controls, especially as companies add new digital customer experiences. For example, if an organization creates an end-user application, it should incorporate encryption of data both in transit and at rest. In doing this, organizations mitigate the potential impact of attacks like man-in-the-middle that use public internet access to steal data.

If data is encrypted at rest, a data breach which exfiltrates the data will be meaningless as the threat actors will be unable to publish that data to embarrass you.

Additionally, encrypting business emails can prevent violations of internal controls. If someone sends an email to an external user who should not have access to the data, then the encryption prevents the person from reading the email’s content.

Encryption is also used to commit ransomware attacks

When looking at how threat actors use encryption as part of attacks, the first thought many people have is ransomware. Most recently, the REvil cyber criminal organization used a vulnerability in the on-premises Kaseya VSA product to successfully deploy a ransomware attack across the managed service provider (MSP) supply chain.

Attackers exploited a zero-day, or previously unknown, vulnerability to bypass the software’s authentication process. In doing so, they were able to use the VSA product to infect connected endpoints with ransomware. Attackers remotely accessed several VSA Servers and used an encryptor, scrambling the information contained on the impacted endpoints. Once the data was locked away, they requested a ransom.

News outlets estimate that anywhere from 800 to 1500 small to medium-sized businesses were impacted as a result of this breach.

How SoftwareOne can help you protect your data

As organizations work to secure data, protect privacy, and meet compliance mandates, vulnerability assessments, penetration testing, security testing, and managed backups become more important than ever.

Taking a hold of your security strategy doesn’t have to be overwhelming, however. At SoftwareOne, we can help you get a firm grip on your current ransomware readiness with our Ransomware Survival Guide. This guide contains a checklist that helps you understand and implement your first, second, third, fourth, and even fifth lines of defense against an attack.

If you’re looking for greater support, however, we’re here to help. SoftwareOne’s managed security services offer organizations of all sizes incident response and security testing capabilities. Our incident response consultants, for example, will rapidly respond to and help you recover from a cyber attack. With our security testing, organizations can take a proactive approach by reviewing their network and application security to remediate vulnerabilities that can lead to an attack.

With us by your side, you will be able to rest easy knowing your network will stay safe and secure.

Final thoughts

For many organizations, ransomware continues to be a security concern. Understanding how encryption works is the first step to protecting against these attacks. Additionally, the same process - encryption - that is used in these attacks can also mitigate the risks associated with them.

As threat actors continue to evolve their methodologies, organizations need a way to protect their data and protect their customers. Leveraging managed security services provides the people and tools organizations need to reduce risk while providing better digital experiences. And when your organization is empowered to strengthen your security, every employee wins.

A blue ocean with sunlight shining through the water.

Take the next step with SoftwareOne

Here at SoftwareOne, we know that ransomware and other sophisticated attacks are no joke. Find out how we can help you take the first step towards stronger security.

Take the next step with SoftwareOne

Here at SoftwareOne, we know that ransomware and other sophisticated attacks are no joke. Find out how we can help you take the first step towards stronger security.

Author

Ravi Bindra

Ravi Bindra
CISO

Ravi holds over 20 years’ experience as a cyber security evangelist, holding multiple leadership roles in the Swiss pharmaceutical industry, such as Global Head of Risk Management, Global Head of Architecture and Global Head of Security Operations.