Return to site

Encryption Is Not Enough

We enjoyed re-visiting the hilariously titled article "How to securely store and share sensitive files (A tin foil hat that actually works)" posted on PopSci last month.

Among many solid suggestions: use strong passwords and two-factor authentication with cloud services, and encryption on devices. These are the right practices as we reach what may be a tipping point in cyber crime.

The article hints at the issues with using cloud storage to share with outsiders, i.e. external recipients, those who aren't also employees of the same company. Turning on encryption as offered in those services protects your data in the drive, and ensures it was delivered securely. But the end result of such sharing requires you to decrypt and provide a copy the recipient can download and open.

Hopefully, you sent it to the right recipient.

If not, you have lost control. And in a regulated industry, if things go wrong you may be embarrassed by the disclosure - if not fined.

Some of the alternatives include...

Secure portals - while seeming attractive, they have high failure rates with consumers due to complex, lengthy signup processes. Many offerings also scare users with new, unknown URLs or domain names. How do they know you're not phishing them?

Transmitting encrypted files - very secure, assuming you didn't deliver both the content and shared secret to the same, wrong recipient. Overall, very complicated for users. As complexity is the enemy of good security practices, this can't be recommended for anything but power-user to power-user.

If you look into these methods, test to see if the complexity is suitable for your expected recipient. For encryption, use existing enterprise tools to manage the process. For portals, take a skeptical view as you review the process - will users understand that there is a third party involved, or can your offering be hosted under your domain, and re-branded appropriately, including email notifications? Will your users need mobile access? Or desktop integration? What about Office 356 or GSuite?

Further, be sure that any encryption software you choose has a recovery key - in case things go wrong on your end.

And remember, once the recipient has the key, they have your data. There's no going back. If all or nothing doesn't fit your corporate, regulated reality - look into collaboration that secures itself.

All Posts
×

Almost done…

We just sent you an email. Please click the link in the email to confirm your subscription!

OK