"The solution to government surveillance is to encrypt everything."
The latest reports to come out of the very public NSA scandal reveal that the US agency has used technology so secretive it could successfully spy on computers that weren't even connected to the internet.
The NSA are trying to assure the concerned public that their targets were exclusively foreign intelligence threats, but will this pacify people or is the damage already done? Surely there is no doubt that technology of this kind facilitates a huge invasion of privacy, whether that's by the government, a competitor or a malicious attacker.
Google's Eric Schmidt said recently that "the solution to government surveillance is to encrypt everything", and many organisations seem to agree – over a third of people questioned in our recent Data Health Check already encrypt absolutely everything they put in the cloud. Considering the sophistication of spyware and malware today, it is reasonable (advisable, even) that IT departments review their encryption policies, but this should be done in the context of their overall security plan. Encrypting everything just isn't necessary.
Organisations often think that their data is more important than it is. By that we mean, in reality, most businesses only have a small proportion of truly sensitive data – data that would cause harm (to the business or individual) if it was leaked. This is what needs to be encrypted, and greater investment should be made in finding the right way to protect that data, rather than encrypting everything you have.
Smaller companies often take a blanket approach to security based on their most sensitive data because for them it's most economical to do so. Larger companies, however, would be penalising themselves by taking the same 'one size fits all' approach.
Different methods of encryption are suited to different needs, so you need to decide what it is you're protecting and why. Do you need full disk encryption, file encryption at a more granular level or something more specialised?
In the past, organisations have had to make the choice between the strength of their encryption and the impact that it would have on performance. Computing power has advanced so substantially in the last few years that this doesn't have to be such a trade-off anymore. We'd recommend using the strongest type of encryption your system allows.
It's essential to understand the importance of encryption key management. You may have the strongest encryption available but without adequate management procedures in place, you are left wide open to threats.
The PRISM scandals have left businesses feeling vulnerable and the fact that IT decision makers are reviewing security policies isn't necessarily a bad thing. But with internal and external security breaches accounting for a mere 5% of data loss last year, organisations need to understand the right changes to make in order to safeguard their data in 2014.