Following David Cameron’s recent comments which proposed a ban on encryption in the UK, Alex Plaskett, Head of Mobile at MWR InfoSecurity has said the following on what it would mean for businesses:
Encryption is widely used to protect company confidential information against malicious parties. Typically businesses use encryption to protect lost or stolen devices (encryption at rest) or communications security (SSL, PGP email etc). The use of encryption within a business is dictated by the threats faced by the organisation and the sensitivity of the data. Organisations which have a lot of sensitive information to protect use encryption heavily, whilst other organisations deploy cryptography less widely.
Whilst encryption varies between organisations, it is often implemented incorrectly or contains weaknesses which can be exploited by an advanced attacker. An example of this is not implementing perfect forward secrecy or fully end-to-end communication security. High security messaging tools aim to address these weaknesses. In the past strong cryptography was typically used by the intelligence community and businesses primarily. Now these technologies are starting to be implemented in consumer applications (such as messaging applications, including Whatsapp and iMessage).”
The main uses of encryption as previously mentioned are communications security (browsing sensitive data in web sites, email encryption) and full disk encryption. Encryption is often used in endpoint protection, such as using encrypted USB's to protect lost or stolen portable storage. In using this technology, businesses are generally trying to protect key assets such as customer records, financial information, intellectual property and so on.
We are seeing both an increase in the number of companies using encryption and also the amount of applications it’s being deployed in. No doubt encryption can be a very effective solution – but the seemingly endless amount of major corporate security incidents has seen many businesses looking for further protection. Concurrently, there is also a growing pressure from consumers to know that the services they use are not only secure, but private. It has been shown that exploitation of lawful intercept capabilities implemented in software and “backdoors” can be abused by malicious actors. It is hoped that if any legislation is put in place in future, then it does not disrupt the ability for organisations to protect their data from malicious parties. Heavy handed or simply ill-thought through regulation has the potential to undermine the legitimate uses of this technology for both businesses and consumers alike.