Cryptography is the use of mathematical techniques to provide security services, such as confidentiality, data integrity, entity authentication, and data origin authentication. Cryptography is the science that converts plaintext into an unreadable form (aka: ciphertext) by anyone without the decryption key which restores encrypted ciphertext to plaintext. This goes hand in hand with the Cryptographic Algorithm and encryption. Cryptography encompasses the mathematical principles and techniques behind encryption enabling sensitive or critical data to be kept private or limited to certain individuals.
What Does This Mean For My SMB?
Encryption and Cryptography are important to an SMB in order to protect the confidentiality and integrity of critical and sensitive information. SMB’s may fall under legislative controls such as HIPAA or PCI which require specific forms of data (Health Records, Credit Card PAN information) to be protected from disclosure (confidentiality) or manipulation (integrity).
One strategy for SMB’s to deal with industry compliance requirements is NOT to have such data in their possession to begin with. For example, PCI compliance obligations can often be avoided by partnering with online Web Services that perform the Credit Authorization outside of your Website or store and simply provide the SMB an authorization code back. However, in cases where an SMB must collect and store such critical and sensitive data, then AES encryption is a powerful protection tool and should be used. Just make sure to protect the decryption keys.
Additionally, encryption can turn a lost device event into a financial loss, but not a cybersecurity breach by encrypting laptops with Microsoft’s BitLocker or Apple’s FileVault. Since Key Management can be an issue, be certain you have a program in place to store the decryption keys in a secure place and not on the devices that are encrypted themselves.
SMB PROTECTIONS BEYOND Cryptography
CyberHoot recommends the following best practices to protect individuals and businesses against, and limit damages from, online cyber attacks:
- Adopt a password manager for better personal/work password hygiene
- Require two-factor authentication on any SaaS solution or critical accounts
- Require 14+ character Passwords in your Governance Policies
- Train employees to spot and avoid email-based phishing attacks
- Check that employees can spot and avoid phishing emails by testing them
- Backup data using the 3-2-1 method
- Incorporate the Principle of Least Privilege
- Perform a risk assessment every two to three years
If you would like more information on this topic, watch this short informational video:
Source: NIST SP 800-130, CNSSI 4009
Related Terms: Encryption, Plaintext, Ciphertext
CyberHoot does have some other resources available for your use. Below are links to all of our resources, feel free to check them out whenever you like:
- Blog
- Cybrary (Cyber Library)
- Infographics
- Newsletters
- Press Releases
- Instructional Videos (HowTo) – very helpful for our SuperUsers!
Note: If you’d like to subscribe to our newsletter, visit any link above (besides infographics) and enter your email address on the right-hand side of the page, and click ‘Send Me Newsletters’.