Management, compliance & auditing

The Importance of an Online Encryption Policy within an Organization

Dan Virgillito
October 14, 2014 by
Dan Virgillito

Benjamin Franklin once said, "If you fail to plan, you plan to fail." This quote summarizes the importance of online encryption policy and hands-on implementation within an organization.

Though you may have the best IT department in the world and advanced computing resources, if there are no written methodical steps that will serve as guidelines or Standard Operating Procedure (SOP) for computing and data storage, then all these hiring-sprees of IT talents and investments are doomed to fail.

With millions of data breach and identity fraud cases reported frequently, Americans are the fraudsters' favorite targets. According to CNN, someone becomes a victim every two seconds.

Once your computer or mobile device is connected to the Internet, there's no guarantee of protection and safety of your personal files, whether you're using it as a consumer or a corporate user. Even IT giants such as GoDaddy, Apple, and Google weren't spared from cyber attacks.

Through an online encryption policy, you can mitigate the risks and avoid these cases, whether you're a profit or a non-profit organization. Creating such a policy involves the participation of the IT department in your organization, and it may or may not include the c-suite executives until it reaches complete implementation.

IBM's latest Cyber Security Intelligence index report shows that:

  • 1.5 million cyber attacks were monitored last year
  • Companies are attacked with an average of 16,856 times a year
  • There is a 12% year-to-year increase in security events to educate and inform organizations
  • There are 91,765,453 security events annually

What is an online encryption policy?

An online encryption policy is an IT standard operating procedure that aims to protect the organization's cyber (and/or digital) assets --- such as data, files, personal information of the stakeholders, employees, affiliates, and customers --- against attacks or any kind of theft, breach and illegal interception between communicating computers over the Internet.

It covers the systematic data management of the company and can also be referred to as information security policy standards when working in an on-premise, cloud, or a hybrid-computing environment.

The system varies from one organization to another, depending on the type of business and general workflow especially for organizations that practice BYOD (Bring-Your-Own-Device), but the ultimate purpose is to establish formidable security and protection. Some of these organizations include:

  • Schools and universities
  • Corporate B2B and B2C companies
  • Small mom-and-pop online businesses
  • Government institutions

When to use an online encryption policy

It's indispensible if your organization runs in:

On-premise environment – if your software and other computing resources run within your premises, yet the Internet is still a requisite for file sharing and handling within two or more computers within your location.

Cloud – your software and computing resources are stored, managed, and communicated in the cloud. A new breed of startups and companies are adopting this model, which would require online encryption policy that includes files, emails, and access of computing resources to the cloud.

Hybrid – this is the combination of the two environments and requires a comprehensive online encryption policy for both offline and online computing activities—on how employees would respond to incidents that could compromise the files and the organization's sensitive information.

Two types of online encryption

There are two kinds of encryption; each one works differently with advantages and disadvantages on the side: symmetric key encryption and asymmetric key encryption, also called public key encryption. The concept is complex, but the definition and core function are briefly discussed below.

Symmetric key encryption

Malware Bytes defines the symmetric key encryption using an illustration where two communicating computers must know the secret code to encrypt and decrypt information. A shared key is used to execute this process, wherein both parties exchange that key and use it throughout the distribution or communication of these computers, whether sending a file, sharing data, etc.

One must know which computers will be communicating in order to install the key to encrypt the information before sending, and then the first computer sends the information to the other network. An example of symmetric key encryption is AES, which is the standard encryption used by the US government.

On the other hand, asymmetric or public key encryption uses two keys. TechTarget explains that this type of encryption the public and private—to encrypt and decrypt files so that the information arrives to the other network safely. The recipient uses a private key that he or she alone can access to decrypt the information.

The pair of keys makes up a lengthy combination of codes, impenetrable to any attack or hacker's crack. According to Malware Bytes, the PCP or Pretty Good Privacy is a good example of asymmetric encryption key that can crack almost anything.

Now that you have an idea of online encryption, here's the list of benefits why it's indispensible to have a strict policy within the organization.

Benefits of online encryption policy

Privacy to corporate's top-secret files – are you in the process of research and development for products being offered? Implementing an online encryption policy is a must to protect your top-secret files to avoid leaks and piracy.

Avoid data and identity theft cases – you may grant access to certain groups and individuals when it comes to file sharing and management to protect your files. IT administrators can set up rules and authorization per level within the organization to mitigate the breaches.

Equipped employees for immediate response to incidents – in case there's a cyber attack, the staff knows how to respond and make amendments before it's too late. Implementing an online encryption policy would also require extensive training and induction for them to understand the process and its importance.

Protection of the company's digital resources – the digital resources aren't limited to the organization's files, software, and computing resources, these also include personal information of customers and clients who have entrusted these sensitive data for online transactions.

What are the characteristics of an effective online encryption policy?

In as much as the policymakers are knowledgeable on the technical aspects of encryption, the written code or standard procedures should have the following characteristics for effective implementation:

  1. Simple – avoid the jargons and IT terminology when writing the policy. Remember that the recipients and readers come from different departments. The statements should be readable and understandable in layman's terms.
  2. Concise – no more beating around the bush when writing instructions 'if-and-then' and 'when-and-once.' Be concise and use simple words, and if possible break down the entire process in short and clear sentences.
  3. Methodical – you may divide the steps in the policy according to the computing resources and processes within your organization.
  4. Sovereign and up to date – the policy should be applicable to anyone who works within the organization, and vendors and third party affiliates as per your requirements. The policy must be updated as the IT department keeps up with the latest security trends.

What are the scopes of an online encryption policy?

As mobile technology shapes the organization's IT strategies where BYOD is also being practiced, the policy should target the following areas:

Email – this will include the attachments and integration of encryption to email clients that the organization uses to communicate with clients and third parties.

Files – files that are stored and shared within the on premise or in the cloud environment that are transmitted via Internet.

External Devices – create policy that also discusses the scope of handling external devices such as USBs, CDs, and external drives for storing and sharing.

Mobile Devices – employees in transit or working remotely should also be provided with policy and procedures for laptops, smartphones, and tablets being used to store, share, and manage files.

Recovery and backup – the IT department should also create an encryption policy that covers the recover and backup procedure of files, passwords, and keys for quick access or request to the administrator in case of emergency.

Authorization – creation of policy for granting access or authorization to contractors who can access the organization's files should be strictly controlled. The IT administrator should also check regularly each department's rights to the files and keys from time to time.

How safe is safe?

Establishing an online encryption policy cannot guarantee that everything would be attack-proof from outsiders. However, to have one and implement it will mitigate the risks. Depending on how the IT team deploys encryption, whether they use symmetric or asymmetric key encryption for the files and digital resources, consent and responsibility in handling the keys, passwords, and files are external contributing factors for effective implementation.

Conclusion

The employees and the stakeholders in the organization must cooperate toward an online encryption policy for the successful and smooth workflow, whether they're working in an on-premise, cloud or hybrid set up.

As technology gives you many options to improve and create advance-computing resources to develop your IT infrastructure, you must be intentional in educating the methods and objectives of the policy to gain everyone's support, trust and cooperation.

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.