In recent years, the US government (politicians and 3-letter agencies) have been lobbying for a back door into encryption standards like AES because encryption is “hampering their investigations and emboldening criminals”.
Source: CNSSI 4009, ICAM SAML 2.0 WB SSO Profile 1.0.2
What does this mean for an SMB?
Encryption is important to an SMB in order to protect the confidentiality of critical and sensitive information. SMB’s may fall under legislative controls such as HIPAA or PCI which require specific forms of data (Health Records, Credit Card PAN information) to be protected from disclosure (protect confidentiality).
The best strategy for SMB’s to deal with such requirements is NOT to have such data in your possession. For example PCI compliance obligations can often be avoided by partnering with online Web Services that perform the Credit Authorization outside of your Website or store and simply provide the SMB an authorization code back. However, in cases where an SMB must collect and store such critical and sensitive data, then AES encryption is your friend and should be used. Just be sure to protect the decryption Keys.
Additionally, encryption can turn a lost device event into a financial loss, but not a Cybersecurity Breach by encrypting laptops with Microsoft BitLocker or Apple FileVault.
Since Key Management can be an issue, be certain you have a program in place to store the decryption keys in a secure place and not on the devices that are encrypted themselves.
Additionally, CyberHoot recommends:
- Setting encryption passwords on important documents being sent in email (Microsoft Office now has AES encryption built in that is very very good and can be trusted as opposed to the early years 2000 to 2010 when it was easily cracked).
- Educate employees on what data needs to be encrypted, how to encrypt, and how to keep themselves and the company secure.