Now that we are all working from home (WFH), the need for encryption must also increase in priority and awareness. Zoom’s popular video conferencing solution got in hot water because they promised “end-to-end” encryption but didn’t deliver on it — prompting some organizations to ban it from use altogether. Encryption protects confidential information from being exposed in transmission, providing a secure way for the intended recipient to get the information without snooping by others.
Corporate data use is commingled with personal data use in WFH environments, emails and chat sessions are mixed with e-learning, volunteering, medical appointments and tax transactions. This potent combination of data leaving our devices from home makes an attractive target for criminals or snoops. This increased dependency on the Internet spotlights the myriad ways we expose data. Encryption should be deployed to help protect both corporate and personal data use.
The data assets of organizations are especially at risk. New (often personal) devices from new IP addresses are accessing networks that require verification and authorization. (More on this in an upcoming blog post.) Further, known and unknown bad actors are working hard to take advantage of this abundance of data over unencrypted channels and are intercepting confidential information that can be used for anything from social engineering to corporate espionage to rerouting cash to intellectual property theft. A complete shutdown is not an option; remote employees must continue to do the things that keep the organization operating.
Infrastructure providers like Afilias have an additional data layer to protect — the infrastructure that powers the core of the Internet. With an expectation of 100% uptime and zero outages, such providers must perform to an exacting standard on security, availability and interoperability. When the staff of such providers are all WFH, special care must be extended to confidentiality and security. Employees working from home must adhere to some common sense encryption rules. All communications related activities — email, chat, video — use encryption to ensure the confidentiality of your data transmissions. Reputable communication providers will offer encryption to maintain confidentiality.
When it comes to data exchange, only do it in an encrypted environment. For example, don’t attach tax documents in an email, even if you use a password; upload these directly to your preparer on their secure site (be sure and check the address, especially if you are considering clicking a link). For work data/documents, a two-step process is now necessary — first, upload the documents to a secure location within your organization, and then send a link to that location to your colleagues so they can securely download.
Organizations that are dealing with a remote, distributed WFH employee base should increase vigilance of the new challenges raised by a WFH environment. Security and risk teams need to inventory all of the access points and devices and enforce or modify security protocols, e.g., use of hotspots, access from locations without encryption, and use and storage of corporate data on personal devices.
Encryption Tools and Considerations
This handy matrix summarizes what is encrypted, who is responsible and some tools to add encryption.
|Relevance||Encryption Tools and Considerations|
|End Users||Enterprises||Infrastructure Operators|
|Written communications (email, chat)||✔||✔||✔||• Choose software and apps with end-to-end encryption [BlueJeans, Cisco WebEx, Google Hangouts, Microsoft Teams, etc.]|
• Modify privacy settings to your needs
|Personal data exchange (e.g., telehealth, financial, fitness apps)||✔||✔|
|Domain names and websites||✔||✔||✔||• Enable DNSSEC|
• Use digital certificates
|Cloud Storage and Cloud backup||✔||✔||• Utilize best of breed vendors for VPNs, payment processing|
|Enterprise data exchange (e.g., business information, payment/donor data, employee management)||✔||✔|
|System reliability management (e.g., software updates, patching)||✔||✔|
|Infrastructure operations and maintenance||✔||• All of the above|
• Require encrypted communications for all mission-critical corporate activities
• Increase or modify network threat monitoring given new risk vectors
Encryption used to happen “in the background,” usually handled by your Corporate IT staff. Now that we are all WFH, the responsibility to add appropriate levels of encryption to both maintain confidentiality and to preserve data and credential integrity has dramatically shifted to all of us.
If ever there was a time to learn and execute on encryption, it is now. Success now will make us more flexible and secure in the future.