I’ve lost count of the conversations I have had with IT people who are in almost panic over the rise in both quantity and effectiveness of ransomware attacks. Everyone wants to do what they can to reduce their risk, but many of these IT specialists seem to believe that full disk encryption solutions, such as BitLocker from Microsoft, are going to protect them from data theft.
I am shocked by the lack of knowledge in this area and the apparent box-ticking approach to the ransomware problem. If your boss, your customers and the regulators say that everything must be encrypted, the approach appears to be to deploy full disk encryption everywhere — box ticked. But this just will not solve the problem.
The language around this technology doesn’t help. Here’s what Microsoft says about turning on device encryption:
“Encryption helps protect the data on your device so it can only be accessed by people who have authorisation.”
That sounds like this will do the job. And this statement is even technically true, but the authorisation happens when the user unlocks the disk drive at the point of system boot. Thereafter, there are no security controls being enforced by device encryption.
Full disk encryption is a great solution for protecting data on a powered-off system. If you leave your laptop on the train – no problem; no would-be data thief is going to be able to decrypt your data. But organisations don’t spend large budgets on computers that remain powered off all the time. And as soon as a PC is powered on, data can be stolen from it – in the clear, not encrypted.
Getting the board on board: a cost-benefit analysis approach to cyber security
All this news we hear on a regular basis, where data is stolen and then the organisation is held to ransom, involves systems that are powered on and in use. So, if you’re in a position like Colonial Pipeline, where reportedly, cyber criminals gained network access through an old VPN with a compromised password, the stolen data may well have come from machines with full disk encryption enabled. The data would have been given up to the hacker in decrypted form, just like any other legitimate or malicious process.
So, what’s the answer? How can data theft be defeated on a running system? File-level encryption goes with the data rather than being an attribute of the hardware it happens to be stored on. This means that when the hacker reviews the data they just stole, they will find that it’s all scrambled and completely useless as a ransom bargaining chip.
Another common misconception is that encrypting everything must be difficult to set up and manage and have an impact on performance and user experience — wrong again. It’s perfectly possible to deploy file-level encryption that encrypts all your data, all the time with no decisions or configuration of which folders to encrypt or not. That means that there is no need to decide and classify what data is sensitive and should be protected. All data is considered sensitive.
Universal file-level encryption is just like full disk encryption – but it works to keep all files encrypted all the time – at rest, in transit and even when in use – and especially when data is copied anywhere else, including when copied to the cyber criminal’s storage.