Encryption Alone Isn't Sufficient
We recently revisited the amusingly titled article, "How to securely store and share sensitive files (A tin foil hat that actually works)" posted on PopSci.
Among its many solid suggestions are using strong passwords, two-factor authentication with cloud services, and device encryption. These practices are essential as we approach a tipping point in cybercrime.
The article hints at the issues with using cloud storage to share with external recipients, i.e., those who aren't employees of the same company. While turning on encryption in these services protects your data in the drive and ensures secure delivery, the end result of such sharing requires you to decrypt and provide a copy the recipient can download and open. Hopefully, you sent it to the right recipient. If not, you've lost control. In a regulated industry, if things go wrong, you may face embarrassment or even fines due to the disclosure.
Some alternatives include:
- Secure Portals: While they seem attractive, they often have high failure rates with consumers due to complex, lengthy signup processes. Many offerings also scare users with new, unknown URLs or domain names. How do they know you're not phishing them?
- Transmitting Encrypted Files: This method is very secure, assuming you didn't deliver both the content and shared secret to the same, wrong recipient. Overall, it's very complicated for users. Since complexity is the enemy of good security practices, this can't be recommended for anything but power-user to power-user.
Secure Portals: While they seem attractive, they often have high failure rates with consumers due to complex, lengthy signup processes. Many offerings also scare users with new, unknown URLs or domain names. How do they know you're not phishing them?
Transmitting Encrypted Files: This method is very secure, assuming you didn't deliver both the content and shared secret to the same, wrong recipient. Overall, it's very complicated for users. Since complexity is the enemy of good security practices, this can't be recommended for anything but power-user to power-user.
When considering these methods, test to see if the complexity is suitable for your expected recipient. For encryption, use existing enterprise tools to manage the process. For portals, take a skeptical view as you review the process. Will users understand that there is a third party involved, or can your offering be hosted under your domain and re-branded appropriately, including email notifications? Will your users need mobile access or desktop integration? What about Office 365 or GSuite?
Additionally, ensure that any encryption software you choose has a recovery key in case things go wrong on your end. And remember, once the recipient has the key, they have your data. There's no going back. If an all-or-nothing approach doesn't fit your corporate, regulated reality, look into collaboration solutions that secure themselves.
We recently revisited the amusingly titled article, "How to securely store and share sensitive files (A tin foil hat that actually works)" posted on PopSci.
Among its many solid suggestions are using strong passwords, two-factor authentication with cloud services, and device encryption. These practices are essential as we approach a tipping point in cybercrime.
The article hints at the issues with using cloud storage to share with external recipients, i.e., those who aren't employees of the same company. While turning on encryption in these services protects your data in the drive and ensures secure delivery, the end result of such sharing requires you to decrypt and provide a copy the recipient can download and open. Hopefully, you sent it to the right recipient. If not, you've lost control. In a regulated industry, if things go wrong, you may face embarrassment or even fines due to the disclosure.
Some alternatives include:
- Secure Portals: While they seem attractive, they often have high failure rates with consumers due to complex, lengthy signup processes. Many offerings also scare users with new, unknown URLs or domain names. How do they know you're not phishing them?
- Transmitting Encrypted Files: This method is very secure, assuming you didn't deliver both the content and shared secret to the same, wrong recipient. Overall, it's very complicated for users. Since complexity is the enemy of good security practices, this can't be recommended for anything but power-user to power-user.
Secure Portals: While they seem attractive, they often have high failure rates with consumers due to complex, lengthy signup processes. Many offerings also scare users with new, unknown URLs or domain names. How do they know you're not phishing them?
Transmitting Encrypted Files: This method is very secure, assuming you didn't deliver both the content and shared secret to the same, wrong recipient. Overall, it's very complicated for users. Since complexity is the enemy of good security practices, this can't be recommended for anything but power-user to power-user.
When considering these methods, test to see if the complexity is suitable for your expected recipient. For encryption, use existing enterprise tools to manage the process. For portals, take a skeptical view as you review the process. Will users understand that there is a third party involved, or can your offering be hosted under your domain and re-branded appropriately, including email notifications? Will your users need mobile access or desktop integration? What about Office 365 or GSuite?
Additionally, ensure that any encryption software you choose has a recovery key in case things go wrong on your end. And remember, once the recipient has the key, they have your data. There's no going back. If an all-or-nothing approach doesn't fit your corporate, regulated reality, look into collaboration solutions that secure themselves.
