By Sathya Mithra Ashok
Data encryption is more a necessity than a luxury, says Sathya Mithra Ashok.
One would think that in the increasing world of external and internal threats, it is rather imperative for organisations to encrypt their data. And one would be right.
Then why do many organisations, especially those in the Middle East, fail to encrypt their information more often than not?
This is the driving question behind the article on data encryption, which will appear in the next issue of NME. The article will also refer to encryption standards, look at encryption across stored and travelling data and offer some advice on choosing among the new solutions in the market that make encryption easier. (Watch out for the feature in the September issue of the magazine.)
In researching and collecting inputs for the piece, I found that encryption solutions that are available today enable organisations to create and manage private keys in a more efficient manner than ever before. This is extremely important since traditionally the complexity of key management was one of the major obstacles preventing enterprises from encrypting their data. This has been largely solved today but enterprises, for the most part, remain unaware of it.
Another interesting fact that I learned was that enterprises often try to take the easy way around encrypting data, even when they do understand the importance of the same and know that modern solutions allow them to code information with much less hassles than before.
The problem with encryption, and with security to a certain extent is that, organisations don’t realise return on investment the normal way. As in, when companies invest in a solution, how does it know that the solution has given it returns? If it works effectively and prevents attacks, then the company does not lose data and therefore has technically, gotten its returns, but that is difficult for the CIO to prove in a mathematical formula to his higher management.
Encryption is likewise. When you invest and code information, chances are it will pay back in preventing data leakage and easy access, but these returns are extremely difficult to prove. In other words, it is difficult to get budgets for deploying and running encryption systems when CIOs cannot present a clear scenario of how they add to the bottom-line.
E-mail is often the first thing that an enterprise encrypts. This is partly because it is the easiest thing to do – it creates minimal latency for organisation and demands little by way of management resources. But the next stage of encrypting internal data – whether it is stored or is traversing the network – often never happens. Unless there is specific regulation or compliance requirements that necessitate encryption, organisations tend to just ignore the task of coding information.
However, in an ever-changing threat landscape, where attacks can occur at any moment, organisations in the Middle East might soon find that this is a luxury they cannot afford to have for long. In fact, organisations would be better off to start coding their information now. They can do this better by starting out in bits and portions; by classifying their data and starting off by encrypting only that information which is crucial to the organisation. Then other levels of information can follow, at different encryption levels.
This early start can help organisations not only be more ready to face regulatory compliance with which encryption becomes mandatory, but it will also help it tackle and prevent attacks from happening to them. Or, do we all really want to be attacked and lose crucial information, before we realise the return that encryption could have given us?
Sathya Mithra Ashok is the editor of Network Middle East.