Encryption is the word of the century as we spiral towards an intimate digital life. From individuals to super-structural organizations, all have started practicing encryption as a means to ward off potential threats. And as the need grows, it is important to know what works and how to get it right if you tread this path.
Small software businesses should think about the following scenarios before tying the knot with encryption.
Get a product that is easy to install and easy to use. This partly ensures lesser use of expertise and time required to get the product in place.
The complex the process, larger the cost to get the job done. Complexity also entails advanced expertise to manage the product. It also opens up the vulnerability of support issues that may arise time to time. This leads to a hike in total cost of ownership for the organization.
Even though you are looking for a product that creates less fuss, you need to make sure that the potential for requiring support in the future is covered. It is important to choose a vendor who can provide accessible support whenever you need it.
In few years you might be expanding to encrypting new devices that are non-standard (like small business RAID servers). So, you need to be certain you can hop on a phone and call in for support from experts. Choose a vendor who moves with you. This brings me to the third point.
Right now, you might be looking into encrypting a host of window devices as that accounts to your current needs. But this might not be the case in few years as your needs might take a different turn. Soon enough, as technology expands, you could be potentially looking for devices of different nature that needs encryption (smartphones, MAC devices, etc.). So, look for vendors who offer multi-platform services. This will allow you to transition smoothly to the next phase.
- Evidence of Encryption
As is the nature of official gadgets, you will lose a laptop or an office smartphone every now and then. To ensure that it is just a physical loss and not an information loss, encryption is crucial. It protects the organization’s liabilities.
However, under certain regulatory bodies in different countries, it has become mandatory to report that the device lost is in fact encrypted. If you are employing centralized management, the option to report is inbuilt. But it might be troublesome if you work in standalone installations and will have to resort to data breach alert if not proved explicitly. To avoid this, make sure that you have an alternative way of reporting encryption, say online. This will stave off unnecessary hassle.
- Certification Schemes
In a recent example, General Data Protection Regulation (GDPR) in Europe stated that the technology used by any enterprise must be of “state-of-the-art” quality. This regulatory advice is being taken seriously almost everywhere where technology is used for official endeavors.
In other words, the tech you adopt should have underwent rigorous assessments and tests by a third party which fool proofs both your product and existence in the industry. It is important to be accredited through product certification or certification schemes as it ensures independent validation of the quality of the product.
There are many certification schemes that works for encryption products. For instance, the US based Federal Information Processing Standard (FIPS) verifies that the algorithms are properly implemented in a product. However, FIPS certification alone can’t be relied on for proof of qualitative implementation. Ventures are better off searching for alternatives that are all-inclusive. One such scheme is Commercial Product Assurance Scheme (CPA) operated by UK National Cyber Security Centre (NCSC). CPA operates alongside FIPS on assessing implementation of algorithms. But it goes deeper into security structure to make sure that the product has been designed and executed in a sensible manner. It also scrutinizes the coding standards of the vendors and built quality of the product that discriminates any vulnerabilities if one should arise. This gives you enough confidence to claim that you use “state-of-the-art” tech.
In conclusion, encryption is a serious deal. SMEs looking to adopt encryption must have a good idea of the product before they settle for it. Also, try to stay away from vendors/enterprises that has a publicized history of vulnerabilities.
Choose wisely and stay responsible!