When security analyst Chris Vickery chanced upon a poorly-protected database belonging to consultancy firm Deep Root Analytics earlier this month, had no idea he was about to gain access to personal information for 198 million U.S. voters and ultimately spark a lawsuit.
It’s a sobering thought – had hackers found the server earlier than Vickery, they would’ve obtained access to a rich hoard of information ripe for for evil purposes.
The firm is now facing a class-action lawsuit for its negligence in safeguarding the public’s personally identifiable information. While Deep Root Analytics will likely survive the financial damage, it’ll be harder for the firm to wipe away the taint of its failure to protect sensitive information.
The episode is a stark reminder that everyone makes mistakes, and in one way or another opens the way for malicious actors to infiltrate the defensive perimeters or their networks and gain access to their trove of information.
Whether it’s a weak password (or no password in the case of Deep Root Analytics), a security flaw in a software used in the system, or a lost of stolen laptop, phone or thumb drive, we all make slips and eventually let our guards down.
Mistakes happen. The question is how you prepare for when disaster inevitably strikes.
The question is, how do you prepare yourself for the day when your data—or that of your clients—falls into the right hands?
The answer is encryption, the science of altering data to prevent unwelcomed parties from using it. Encryption uses mathematical algorithms to scramble your information in a way that only the parties holding the decryption keys will be able to access it.
Encryption is your first and last line of defense in the hostile world of internet. It is now widely employed in the applications we use on a daily basis to protect our information.
Websites and web services whose addresses start with HTTPS use encryption to protect your data in transition, as it travels from your browser or smartphone to their servers and back. Encryption protects your communications when you use secure messaging apps such as WhatsApp or Signal.
However, while enterprises and organizations are increasingly endorsing encryption, there’s still a lot that needs to be done.
As a business owner, you should take your responsibilities to protect user information seriously. In this regard, encryption can save you many legal and reputational troubles, as was the case with Deep Root Analytics.
Early last year, giant toy maker VTech suffered a major breach of its network, which led to the exposure of the information of millions of kids. There were many things wrong with VTech’s implementation of security practices. However, a good encryption plan could have provided a last line of defense against the hackers and made the accessed data useless.
Consumers and business owners both have parts to play in protecting sensitive data.
As a consumer you should educate yourself about the threats to your digital information and how you can take full advantage of encryption to protect yourself against data theft.
First, you should know that not all applications and services implement encryption as robustly as they should. Some services deliberately keep unencrypted or weakly encrypted copies of your data in order to be able to use them for their own commercial purposes such as serving up targeted ads or training their artificial intelligence algorithms. This is a common practice in a number of email, cloud storage providers as well as a number of online services.
In this case, your data will only be as safe as the company’s defenses can make it. This is a lesson that the users of the Ashley Madison online affair service learned the hard way when the company’s website was hacked in 2015 and user data was spilled all over the internet. Had Ashley Madison properly encrypted its data and secured the keys, it could’ve literally saved lives.
In this specific case, nothing short of not using the service would have protected user data. However, in many other cases, as a user you can take matters into your own hands and use encryption to make it virtually impossible for malicious actors to access your data even if they hack your account or the service you’re using. And where you can’t use encryption, you’ll at least know how far you can trust the service you’re using.
As an example, in 2016, John Podesta, the campaign chair for presidential nominee Hillary Clinton, became the victim of clever phishing scam that gave hackers access to his email account.
Had Podesta used PGP to encrypt his emails, or had his organization used an end-to-end encrypted email service such as ProtonMail, there was a likely chance he could’ve avoided the ensuing leaks that critically damaged his boss’s bid for presidency.
There are now encrypted alternatives for most popular services such as messaging, email and cloud storage, which you can consider using for your more sensitive communications.
There are encryption solutions available for consumers that protect email, messaging and cloud services. You can also encrypt your devices.
You should also be wary of the information you hold on your devices, such as your phone, laptop, or removable drives. Most mobile and desktop operating systems support full-disk encryption, which locks down on-device information to protect your data against physical access or device theft.
Last year, an encrypted iPhone was at the heart of a months-long debate between the feds and Apple, because the device was so securely encrypted that not even the manufacturing company could access the data it held.
However, while disk encryption only takes a few clicks or taps, many users still forgo enabling it on their devices, undermining their own security for the sake of convenience.
All this said, encryption alone isn’t enough, but it is a useful and critical component of any sound security strategy, whether you’re a company, organization or an individual who cares about their privacy. Encrypting sensitive information is always better than hiding it behind walls.