By Joe Balsarotti
What does the Apple–FBI fight and the ransom paid by a Hollywood area hospital have in common? Encryption.
The data stored on the Syed Farook’s iPhone and the data at Hollywood Presbyterian Medical Center are both encrypted, the former by design and the latter by malicious hackers.
The lure of privacy and keeping prying eyes away makes encryption a tempting solution, even if no encryption scheme has ever been foolproof. The federal government, through the HIPAA (the Health Insurance Portability and Accountability Act), even wants most patient data encrypted, and yet the FBI wants to break the encryption on mass-murderer Farook’s iPhone.
Encryption is a two-edged sword. It can be used to protect a company’s information, but it can also block a company from getting its own information. When a hard drive fails due to a hardware problem, encrypted information is rarely recoverable. If backups fail, there could be irreparable damage to a business because of the loss. Or, the hardware could be fine, but a disgruntled employee can use readily available tools to encrypt a business’s data and leave the company high and dry.
International organized crime has found encryption to be a very lucrative tool, hence the rise of Cryptolocker and like viruses and malware. “Pay us and you get your data back”; don’t pay and you or your business are at the mercy of having backups with enough versions to extend past when the infection first hit your systems. Of course, that assumes your business *has* backups which have been tested and verified.
Without getting to far into the weeds of the Apple vs. FBI saga, suffice it to say that battle isn’t over encryption, it’s over the iPhone’s setting to destroy it’s data if ten incorrect passcodes are entered. Since today’s computers can easily crack any passcode within a couple of days by trying every combination, the illusion of security in Apple products lie in the balance. Give the FBI a way around the self-destruct and the Apple products are no more secure than anything was before the digital age.
Now, back to the encryption conundrum. Until the digital age, nothing was truly private. Any safe or vault could be picked and any code could be broken, eventually. In the digital age, encryption has become both a blessing and a curse, but there’s no denying that it enables a level of privacy that didn’t even exist fifty years ago. Those who’ve only lived in the digital age take this privacy as a given and don’t want to see it’s power eroded. Those who remember ‘loose lips sink ships’ know that no information was truly safe in the past, and breaking the other side’s code often meant the difference between life and death.
For a company, encrypting data on mobile devices such as notebooks, tablets, and phones is a prudent move as those devices are easily lost or stolen. However, your data should never be only on such devices. Mobile devices should either have to connect to access the data, via a VPN (Virtual private network), remote access tools like Teamviewer, LogMeIn, or Remote Desktop, or to one of the secure cloud based services. In other words, either store the data stored elsewhere, but have it accessible to your mobile device, or encrypt the mobile copy.
Once important data is encrypted, the key to that data is invaluable. If you as a business owner, encrypt your company data and something happens to you, who on your staff also has the key? If you get hit by the proverberial bus, and no one has the decryption key, how does the business survive without the data you deemed important enough to encrypt in the first place? Restoring a backup won’t help as those backup files would be encrypted and also require the key to be readable. In your personal life, does you family have the keys and passcodes to get into your digital files if you’re incapacitated or no longer around?
Everyone can agree that you should have multiple levels of backups for your business. Whether to encrypt some, all or none of your company or personal data is a much harder question.
If you’re interested in the specifics of the incidents I mentioned, here are the links:
I welcome your questions or comments at firstname.lastname@example.org
Joe Balsarotti is president of Software To Go and is a 36-year veteran of the computer industry. He served three terms as chairman of the National Federation of Independent Business’ (NFIB) Missouri Leadership Council, served as chairman of the Clayton, Missouri Merchant Association for a dozen years, and chaired Region VII of the Federal Small Business Regulatory Fairness Board. He currently serves on the Dealer Advisory Panel of the ASCII Group, an organization of over 1000 independent computer and technology solution providers in North America.