Logical Encryption Controls to Secure Your Firm
Encryption is all the rage today. Regulators are asking firms about their encryption policies, and those who do not have well-executed strategies can find themselves at risk of examination deficiencies or enforcement. With NSA spying allegations, the general public has begun to understand that encryption can protect their data from prying eyes (governmental or otherwise). Encryption of data is an important consideration for all entities that maintain the Personal Identifiable Information (“PII”) of investors, or sensitive Intellectual Property (“IP”). Regulators and states encourage, and in some cases require, the use of encryption, or offer it as a mitigating factor in the case of breach. For most states, encryption serves as a legal safe-harbor against the obligation to report to state authorities and to notify clients and employees in the event of the breach of PII. Understanding relevant state definitions of breach is critical to your response and recovery plans. But encryption is not just a single setting. There are different types of encryption and different standards, each with different trade-offs. There is no simple “encrypt” button that sets everything perfectly.
All is not lost, however! The good news is that encryption across all fronts is becoming easier, more economical, and less resource-intensive. In order to develop an effective strategy, a basic understanding of the types of encryption is necessary. We focus here on various vectors (such as email) and their corresponding encryption possibilities. Our goal is to make encryption approachable and understandable to the harried CCO who needs to understand how their firm’s data is protected.
How Does Encryption Protect My Data?
For lack of a better description – encryption takes your data and scrambles it. When you encrypt your data, a unique key for decoding the data is created. Anyone accessing the data without the key sees a bunch of gibberish. But, present the unique key and, viola, the data is rendered clearly again. This key process typically is buried deep in technology, so you never need to physically present a key to decrypt a document but, rest assured, it is happening.
Unencrypted email is very similar to mailing a postcard. You should consider all of the information you are sending to be viewable by anyone with an interest. If you consider your emails worthy of an envelope, your firm should be utilizing Transport Level Security (TLS).
TLS will encrypt your message in transit, protecting it from prying eyes when it is in transit from mail server to mail server, but there are a few caveats here:
- Your message is not encrypted at the end points, only across the internet. So, if someone can access your system or your recipients system, you are out of luck.
- If your firm utilizes TLS but your recipient doesn’t, your message will not be encrypted in transit.
- TLS encryption has become standard in many email systems and cloud-based services, however you must still validate that it is enabled on both sides of the transmission.
Make no mistake, TLS is a great first step, but you can understand why it is not a good idea to transmit sensitive data through email. If you have regular need to email sensitive data, such as social security numbers or other data, consider utilizing a service such as Cisco’s Registered Envelope Service. Such a service ensures that a message is encrypted, regardless of the recipient, who will not be able to access the message until they have a secure connection.
- Unless you are utilizing a secure envelope service you should never send PII via email.
- At a minimum your firm should utilize TLS.
Whole Disk Encryption:
Encrypting a hard drive is getting easier and easier. Both windows and apple systems now support one-click disk encryption, and most servers offer the ability to utilize encryption at rest as well. Encryption at rest essentially scrambles a storage drive when it is idled, which prevents someone from accessing the data if they physically steal the hardware. However, when a system is powered on and the drive is running, it has already been decrypted so the stored information is only protected by the username and password combination that will allow access (you have a complex password, don’t you?). The idea is that any powered down storage media is reasonably secure. Those media that can easily be lost or stolen should be protected by Whole-Disk Encryption.
Whole Disk Takeaways:
- Laptop hard drives should be encrypted.
- Backup CDs, DVDs, Thumb Drives, and Tapes should be encrypted.
Encryption can also be implemented at the file or folder level. This allows for any individual files or folders that are not currently in use to be encrypted and, resultantly, further protected from intrusion. Newer versions of Office provide for encryption of individual files from the specific application. Folders can be encrypted and password protected by your system administrator. Limiting the sharing of the password for such files is also an excellent was to protect your data from accidental loss or transmission by unauthorized users. This type of encryption is effective as long as the file isn’t open. Additionally, the encryption prevents the file from being viewed by circumventing the password in place. If your password is weak, an attacker will likely attempt to crack it as the easiest access point. We recommend that files containing customer or employee PII be encrypted and secured with complex passwords.
- Encrypt PII or IP in line with your firm’s data classification policy.
- Utilize Strong Passwords when utilizing file- or folder-level encryption.
- If folder-level encryption is utilized, make sure a secure backup of the encryption keys is maintained.
Devising a Program For Your Firm:
We are simply starting at the beginning here. Your firm may utilize a portal provided by a third party, the security of which could be considered in a due-diligence process. Additionally, your firm may store information in a database that could require column-level encryption. But to begin from the most elementary level:
- Utilize TLS encryption of Email.
- Do not transmit any sensitive information via email unless you employ a secure envelope-type service.
- Encrypt laptops and other devices that have a higher risk of loss.
- Utilize file- or folder-level encryption for sensitive information and support it with complex passwords that are regularly changed.
The above points represent a minimum standard of data-security care. Should breach or loss of PII occur through the failure of any of the above-stated points, a regulator would be well within their rights to cite a firm’s failure to reasonably protect its clients information, as required under Regulation S-P. Encryption must be practical across your firm and these steps represent the basic approach that all firms should review.