How to pull off a successful encryption project

Let’s face it, for most IT managers, encryption is a bit of a headache. An order comes in from senior management and IT is usually brought in at the last minute to execute – adding extra workload onto an already stretched IT department, with no tangible cost or efficiency gains to be seen in the short-term. IT managers are tasked with finding a product and rolling this out, and half the time the deadline was ‘yesterday’.
Sound familiar? Under these circumstances, this often leads to rushed projects, with organisations jumping in feet first with a mentality of “just get the product and get it installed”. This could lead to overspending, and often failing to meet the original objective to protect the company from liability as corners can get cut. I see it every day.
In times of recession, no company can afford to throw money away on unnecessary purchases or wasted resources. To ensure your project runs smoothly, there are three key things you should do before you even think about buying a product: firstly an asset discovery combined with a full risk assessment and then you can accurately plan your security.

Step One: Knowing what you have
This may seem like an obvious statement, but it is impossible to encrypt something unless you know it’s there. A major problem I see with companies is that they just don’t know what’s in their IT estate. Many try to keep track, logging data on spreadsheets, and using audit tools, but few do regular audits, so there are always assets that get missed and holes in the data.
Asset discovery is crucial to an encryption project. Finding out exactly what you have makes the process of identifying risks and what you actually need to buy much easier and more accurate. Many companies just take an educated guess and end up panic-buying licenses and increasing the cost of the project, while also missing assets which could be at risk. If you don’t know what you have, then you don’t know what you need to protect.

Step Two: Knowing the risks

Once you know what machines you have, you need to know the risks these assets pose. Generally encryption protects against accidental loss or theft; you are not protecting against hackers and attackers but the devil within – human error.
There is no point in encrypting a machine if it doesn’t pose a threat of data breach, therefore you need to look at the devices that you have and ask some questions: How transient are the devices? How physically secure are they at the moment? How sensitive is the data on them? What are the consequences if this data is exposed?
If you are assessing a PC sitting in an office, behind a locked door in a secure building, which doesn’t have any sensitive corporate information on it, then you don’t really need to encrypt it. However, keeping sensitive corporate or client information on a memory stick or laptop, which can easily be lost or stolen, means that data is at a genuine risk of exposure. It’s a similar story if you are sending information via e-mail. It is all about having the information to make a judgement about how much risk the company is exposed to and how much it’s willing to accept.

Step Three: Knowing what you’re going to do next
So you now know what you have, and the risk you are exposed to, the next stage is to define your security policy. Encryption is seen as a technology issue, and even though IT is often left out of the decision process as it is seen as more of a business decision as to whether or not to encrypt data, if a breach occurs then it is often IT that gets it in the neck for failing to protect the data. I have seen IT managers lose their jobs because a breach has occurred and there is no evidence that they had taken any steps to prevent it. And rightly so I would argue, a simple project initiation document (PID) would have been enough to establish that they had acted in a responsible manner.
Having a security policy can shield an organisation from liability should a breach occur, and help an IT manager to keep his job. Things for the business to consider here include:

  • Developing a timeline which identifies the most ‘at risk’ devices which need to be attended to first
  • Producing policies and procedures for the workforce which cover the use of e-mail, removable storage devices, lap tops and PCs
  • Identifying what encryption functionality they require from a product – for example, memory sticks, e-mail, files and folders, full disk and so on.

IT can then provide a full break down to the board ahead of buying the software so that the company can then decide what level of risk they are willing to accept and where they would like to assign resources. A good way to achieve this is to set up a project board, involving the board of directors, heads of departments and IT, to plan out the project and ensure everyone is clear on their roles and responsibilities. The company can then buy a product that meets all the security requirements outlined, which also fits in with the way people work so that it does not hinder productivity.

Mitigating - not extinguishing - risk
At the end of the day, there are a million ways that you can lose data. Copy and paste, printing, the internet – you cannot easily make anything 100 per cent secure. If you want people to still be able to work and be productive, then you have to give them the means to work in a way that they feel comfortable which is easy for them. It’s all about perspective and making a sound and educated judgement, knowing what your biggest risks are and getting them under control. If you follow this process, work out what you own, what the risk is and what you’re going to do about it – then the rest is easy.

Please register to comment on this article