Losing the human touch to protect Data

26 Jul, 2020 6 min read
Nigel Thorpe
Nigel Thorpe
Technical Director
Human nature means that we tend to default to the easiest option when faced with difficult and serious issues, and this can be the case when it comes to securing our data and information systems.

In the early days of information security, we focused on preventing access to the data we valued. We installed firewalls to protect our perimeters and bought anti-virus software to identify and prevent malware that might sneak through. If we had taken a more data-centric approach from the start, maybe we would have avoided many of the data breaches that have hit the headlines over the last 30 years. According to Verizon’s 2022 Data Breaches Investigations Report, 82% of data breaches happened due to the human element which includes incidents whereby employees expose information directly (e.g., by misconfiguring databases) or by making a mistake that enables cyber criminals to access the organisation’s systems.

Encryption has been around for centuries and was used by the Greeks and Romans to protect information if it fell into the wrong hands. Protecting electronic data has proven to be a more complex problem and it is we, humans, again who have been the Achilles heel of most encryption solutions.

Humans were never meant to worry about data security or having to make decisions about what is important to encrypt and protect and what is not. What was needed at the very start was a philosophy that makes security an inherent property of data that is Invisible to those who generate and use it every day. Inherent and Invisible security allows users to act as normal without rules or technology to ‘get around’ that would introduce risk.

How PKI encryption provides inherent and invisible security to protect the data? 

Most encryption solutions rely on symmetric encryption which uses the same key to encrypt and decrypt. Public Key Infrastructure (PKI) enables Asymmetric Encryption which uses two keys: a public key to encrypt and a unique private key to decrypt. PKI encryption allows for simple and natural file sharing across user groups, networks and in the cloud.

This is a major advantage, but individuals will find other ways of achieving something if the ‘proper’ way is difficult, so PKI-based encryption has to be both inherent and invisible to avoid these risks. This can be achieved by making the encryption processes work at the file system level so that humans aren’t even aware that they’re going on.

In addition, tightly binding authentication with encryption of the data inside the files ensures that even if the information falls into the wrong hands – whether by accident, through insider theft or by malware attack – it remains encrypted and useless to anyone.

Technically, PKI-based file encryption is a complicated process and is a slow and mathematical task which takes many processor cycles. However, modern CPUs include some dedicated instructions for encryption operations, eliminating performance problems and user frustrations.

The other important factor is that there must be no disruption to the way people and applications work. For example, data must remain encrypted at all times on disk, even when files are being edited. If an unauthorized individual attempt to open a file that is not encrypted for them, they will then find that the data is unreadable – even if they take a copy of the file outside the network.

So, how is PKI encryption better?

There are plenty of encryption systems on the market, but full disk encryption systems like BitLocker, for example, only protect data when the system is switched off so anyone or anything can access any file on a running system.

On the other hand, file and folder encryption, as well as data classifications, rely on the user making a security choice. Users must actively choose to encrypt files and remember additionally to delete the originals. This method assumes the user or administrator will make the right classification choice. If everything is encrypted, however, the need to make user decisions is removed and individuals cannot also decide not to encrypt some data.

By building authentication into each file alongside PKI encryption, we can be sure that only authorised individuals can access the data. This approach defeats insider data theft because any stolen information remains encrypted and therefore useless once outside the control of the organization. This individual security shield is maintained on every file, no matter how it is used, where it is stored and on which media it is copied. That means even if someone has the correct ID, password and token, and has the authority to open a file encrypted with their public key, the file still remains encrypted.

What about the admins - do they have access to the file when it's encrypted? 

In conventional encryption, privileged users such as IT administrators are still able to access information, which presents a risk. With authenticated encryption, admins can still do their job, but they will be unable to decrypt files they do not have the authority to open.

It is also irrelevant where files are copied because each one has its own inherent security. To have access to any of the data, the administrator needs the file, the user credentials, their private key and the decryption filter. As a result, it is not possible to decrypt a file outside of the organization, even if an individual is authorized to decrypt the file when at work.

Remove the human element and start taking a data-centric approach to protecting your file

It’s time to take a fresh look at data security. Rather than trying to fill in the security gaps to protect the increasingly disparate perimeter defences, we need to take a data-centric approach to security and protect it at the most basic level, which is the file at rest, in use or in motion. We need to step back from solutions that protect some of the data some of the time, focus on compliance rather than security, or add complexity that can introduce risk itself.

Most importantly, we need to remove the human element of data security entirely, rather than try to account for it or change it. Training and monitoring don’t work all the time and human nature has shown that if the solution is not instinctive or logical, we will create our own, insecure methods. How many people leave the front door key under the pot by the door?

People should be able to work just as they want to or need to, without additional considerations and obvious pressures and similarly, usability needn’t be sacrificed to strengthen our data security.

SecureAge Security Suite removes the human element of having to encrypt the files manually or decide what file is sensitive. It harnesses PKI encryption technology to encrypt all data and is secured against data breaches, theft and unauthorised access all the time. Files are automatically encrypted for each authorised data owner. It doesn’t force anyone to become a cybersecurity expert but instead, allows them to work as they normally do without sacrificing security. Visit our SecureAge Security Suite page to find out more and get in touch with our representative to see live in action how SecureAge Security Suite works.

Our website uses cookies to ensure you get the best experience and can find what you need. Read our cookie policy