Many businesspeople put their firms’ data at risk because they fail to understand several important concepts about encryption. Simply understanding that data can be protected from unauthorized parties by encrypting it is insufficient to deliver security; in order to secure information people must know when needs to be secured, and must actually encrypt accordingly.
Many businesspeople know, for example, that they must encrypt sensitive information while it is in transit; they understand that data being transmitted electronically between locations is at risk of being read by unauthorized parties along the communication path. Such folks also often comprehend the need to encrypt data “at rest” – that is, sensitive information stored on hard disks, solid state drives, USB drives, backup tapes, or any other media. If outsiders hack into an organization the use of encryption on stored data can be the sole barrier between criminals stealing sensitive information or being unable to access it. Likewise, if removable storage is lost, encryption may be the only thing standing between corporate secrets and anyone who finds the media. Furthermore, encryption blocks rogue insiders – who pose the greatest information security risks to businesses of all sizes – from retrieving (and potentially stealing and misusing) information.
To learn what businesspeople — and some CISOs — fail to grasp, please see my article on the Cloudmask website entitled The Encryption That Businesses Need, But CISOs Forget About.