Numerous preconceptions still prevent companies from adopting encryption solutions to protect their data. Yet this reluctance could prove costly if it results in massive data leaks... We take a closer look at five common myths surrounding data encryption.
"Encrypting my data is a waste of money"
Data encryption is a bit like an insurance contract — you only really notice its usefulness when problems arise. But the figures speak for themselves. According to the study '2018: Cost of a Data Breach Study: Global Overview', conducted by Ponemon Institute for IBM, the cost of data theft in France averages at €3.54 million, an increase of 8.2% from 2017.
As highlighted in Stormshield's white paper 'Digital transformation of companies; where does security fit in?', a host of potential sources of vulnerability are emerging that we cannot afford to ignore, including employee nomadism, cloud-based document sharing services and the emergence of connected objects.
"Encryption is too complicated to set up"
Middleware, PKI, cryptographic cards, a variety of other certification policies... Until a few years ago, the complexity of data protection procedures was enough to discourage even the most determined of potential customers.
But today, publishers offer solutions that no longer require the implementation of an ultra-complex infrastructure. Whether for end users or administrators, these new solutions have made implementing and managing encryption systems noticeably more transparent. SaaS mode, for example, has enabled significantly lower infrastructure and maintenance costs.
"There are other solutions that are just as effective as encryption"
The concept of encryption is often associated with the implementation of virtual private networks (VPNs) useful for protecting data in transit over the Internet. Yet these protection systems do not guarantee the data's integrity in situations such as the theft of the terminal.
On the other hand, beyond VPNs, firewalls and access rights, hard-drive encryption on terminals is becoming an increasingly viable solution. Here, the terminal itself – and not the data – is protected, in response to the threat of theft in particular.
These additional solutions can and should be considered alongside a data encryption solution, forming the 'holy trinity' of an information security policy. This way, regardless of who has access to the workstation, server or network- or cloud-based sharing system, only the user with decryption rights can use the data in question.
"I don't need encryption – cyberattacks never happen to me"
"I'm not at risk." "I don't have sensitive data that needs protecting." These kinds of remarks are more common than you would think, and not only within local associations or authorities. But it's not only the responsibility of sectors handling sensitive information to protect the data they manage. The General Data Protection Regulation (GDPR) reminds those who may be in doubt that everyone is responsible for protecting individuals' data.
In France, CNIL's decision to fine Optical Center €250,000 in June 2018 for failing to secure its customers' data is proof that negligence itself can be costly. And the threat is ever-present – even recently, the technology consulting giant Altran was the victim of a cyberattack.
"If I encrypt my data, I might never get it back"
Many people still fear that they might lose their data after forgetting their password, or if an employee leaves the company without passing on theirs. But certain technologies can help to avoid this kind of inconvenience, such as data recovery, which provides one or two people within a company with access in case of urgent need. The key escrow technique is another possibility, whereby a database – itself encrypted, of course! – is used to store all of a company's encryption keys.
In short, because data theft is far more costly than data protection; because technologies have become simpler to use over time; because no one is entirely safe from cyberattacks; and, finally, because encryption remains one of the most effective protection systems – all of these facts demonstrate why nothing should prevent companies from adopting sound encryption solutions.