5 Encryption Mistakes Every IT Security Pro Falls For


Tech Insights for ProfessionalsThe latest thought leadership for IT pros

Tuesday, March 28, 2023

Are you sure your encryption solutions are actually protecting your data? Here are five common mistakes that could be leaving your business exposed.

Article 5 Minutes
5 Encryption Mistakes Every IT Security Pro Falls For
  • Home
  • IT
  • Security
  • 5 Encryption Mistakes Every IT Security Pro Falls For

Strong encryption is a vital tool in your fight against hackers, and it's often your last line of defense against highly damaging data breaches. Even if you do fall victim to an attack, with the right encryption solutions in place, you can at least mitigate the damage by ensuring no one will be able to read any sensitive data.

This matters more than ever as, for most firms, it's a case of when, not if, they get breached. As many as 95% of enterprise networks have fallen victim to an external attack at least once, while insider threats remain a serious risk to many firms.

In January 2023 alone, more than 277.6 million data records around the world were compromised, while IBM calculates the average cost of a data breach as being $161 per record - rising to $180 for those containing personally identifiable information. It's therefore clear how important it is to ensure any data breaches don’t compromise sensitive details, which is where encryption is invaluable.

Wake up CIOs. The next-gen of threats has arrived

Devising a multi-layered security plan is key to bolstering your defenses and mitigating risk.

VISIT THE HUB ifp.ClickDetails"

5 key encryption mistakes to avoid

However, simply having encryption isn't a silver bullet to defend against these issues. If your solutions aren't implemented properly, determined hackers may easily be able to break your encryption and read your most valuable data. Here are a few encryption errors that almost every IT pro will encounter at some point.

1. Not encrypting all your data

The first mistake many businesses make is simply failing to encrypt all their sensitive data. This may seem basic, but with so many digital assets spread over wide-ranging systems and applications, it's easy to overlook some of it, especially if information is stored in separate silos across multiple data centers.

Therefore, a good encryption strategy must start with a comprehensive data discovery plan covering the entire network to identify exactly what data you have and whether it’ll need encryption. Not every piece of data will need the same level of protection, so categorizing it correctly is vital in making your defenses both robust and cost-effective.

2. Relying on external providers

The majority of businesses now use some form of cloud computing to store or process data, and suppliers will often make a great deal of their in-built security measures to reassure customers who may be wary about sending data off-site. However, while the physical protections these providers have on their own servers are usually top-notch, you can't rely solely on them.

All major providers recommend applying your own encryption before sending data to the cloud. For instance, Amazon Web Services emphasizes that data encryption is the customer's responsibility, not theirs. Doing this yourself also ensures you retain control over decryption keys.

3. Using the wrong encryption

The type of encryption you use also matters, but it's not always as simple as selecting the toughest-available solutions, as this needs to be balanced against the potential downsides. A more complex algorithm with a higher-length key will enhance security, but this will take more time and resources, hindering performance. As a result, it's vital to assess the sensitivity of the data to determine when this tradeoff is acceptable.

The more vital the data, the more you should favor security over convenience. You should also avoid doing the bare minimum you need to maintain compliance with regulations like PCI-DSS. While such low-effort strategies may tick the necessary boxes, these standards are described as minimums for a reason - you can and should be doing better.

4. Poor key management

Key management is at the heart of ensuring a successful encryption strategy, yet it's often an area companies struggle with. Failing to keep tight control over decryption keys can undo all your good work, as if bad actors can access these tools, they can render the encryption worthless.

There are a few common mistakes within key management you may be making. These include:

  • Storage issues - Keeping your keys in the same database or file system as the data is the equivalent of locking all your doors and windows securely, then leaving the key under the doormat - it's the first place anyone will look.
  • Access management - Even if your key is held separately from the encrypted data, this won't protect you if anyone can access it. Poor access management may leave you vulnerable to issues like malicious insiders who may find it easy to obtain data they shouldn’t have access to.
  • Reusing keys - You wouldn't use the same key for your home and your office, so you shouldn't be reusing encryption keys across the business. Avoid this by partitioning your sensitive data and assigning a unique key to each section. This will increase the time it takes to decrypt files, as you'll have to ensure you're using the right key for each one, but it's much more secure.
  • Not changing your keys - Altering your keys regularly - known as key rotation - is another step that mustn't be skipped. If you don't do this, you could be vulnerable to data breaches from compromised keys before you even realize it. Again, keeping up with this can be a complex and time-consuming process, but it's essential to protecting your data.

5. Relying too heavily on your encryption

The final thing to remember is that encryption is just one piece of the security puzzle. It's a mistake to assume that because you're using the toughest encryption standards and following all best practices, your most sensitive data is protected.

Hackers are always coming up with new ways of accessing data, and ways around defenses. For example, if your financial data is held in a strongly-encrypted format, they might use social engineering tactics to trick an employee into sending them a plaintext version.

Treating encryption as just one element of a comprehensive security solution is essential, so be sure you're paying close attention to everything from intrusion detection systems to employee training to support your encryption efforts.

Further reading:


Tech Insights for Professionals

The latest thought leadership for IT pros

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals.


Join the conversation...