Encryption Best Practices Every CISO Should Adopt

The magnitude of data-driven operations that organizations rely on will only increase with time. Having a clear and effective encryption strategy for 2022 is paramount to maintaining a secure perimeter around your data landscape. Although we’ve discussed the best practices for enterprise encryption in this post previously, operational technology continues to evolve and now is the ideal time to provide an update for CISOs to adopt.

Encrypting organizational data remains your best defense against unauthorized entry, extraction, or surveillance of your digital operations. The risk landscape expands as more operations become digitized and teams spread over geographies or have to perform their duties remotely. As a CISO, you have to face the reality emanating from the following statistics:

  • Mega data breaches (those exposing 50 to 65 million records) cost organizations more than $400 million
  • Only 56% of enterprises use extensive encryption for internet communications according to a survey by Statista
  • In 2021, the average time to identify and contain a data breach increased by seven days, totaling 287 days, compared to 2020

We won’t hark on about these concerning statistics as you can study the entire list for yourself, but let’s rather focus on what encryption best practices every CISO should adopt today.

5 Updated Encryption Best Practices for CISOs in 2022

Since the pandemic, the threat landscape for CISOs increased exponentially. Digital operations are vital for remaining productive in every organization or public agency and naturally, these activities come with inherent information security concerns. Due to these changes in operating models, let’s look at five updated encryption best practices for CISOs in 2022.

1. Control Your Attack Surface

In 2021, many CISOs had to react to changes in their attack surface after the fact. Organizations scrambled to deploy new technologies for virtual meetings, communications, and information exchanges. The procedures for vetting new technology stacks and analyzing the threat landscape may have played a secondary role compared to keeping everyone connected.

CISOs now have the opportunity to review their current technology landscape and vet systems to address the current attack surface. At a minimum, every system that stores, transmits, or archives data should include encryption — especially when teams continue to operate remotely and have to access information from an external network.

2. Take Ownership of Your Encryption Keys

If you use a third-party encryption key management solution, now may be the time to bring those back under your control. Regardless of what technology you use for communications and data transfers, you should have all of the encryption keys stored securely in a key vault inside your own IT environment.

You may also want to review your key vault logs and verify that no unauthorized access occurred if you kept your keys in the cloud. To maintain a secure perimeter around all of your data, you should enforce the zero trust principle and this should extend to the technology vendors you use every day.

3. Consider Full Disk Encryption

Partial encryption (or file level encryption) may suffice inside your corporate networks but to secure all your data, you should consider full disk encryption (FDE). This will protect your hardware even if a workstation is lost or stolen. Volume level encryption makes all information stored on a disk unreadable and as a bonus, these events would not expose the organization to regulatory liabilities.

By deploying FDE on all your endpoint devices, you can eliminate human errors or software failures and ensure any data kept on a remote terminal remains inaccessible to any unauthorized person or entity.

4. Review Your Data Classification Practices

Your choice of encryption method can influence your IT system’s performance. To reduce the burden on your infrastructure, you should apply data classification to all your records and prioritize encrypting all sensitive information based on this classification.

Changes in your operating models may lead to data leakage or misuse, making your data classification practices essential to securing your perimeter. For cloud environments, consider deploying automated encryption services for sensitive data at-rest and in-transit using a classification label.

5. Deploy End-to-End Encryption

For communication, file sharing, video conferencing, and information exchanges you should use an end-to-end encryption (E2EE) solution. By storing the cryptographic keys on the endpoints, every bit of information remains encrypted and only those with the public and private keys can access the information. Certificate authorities (CA) may store the public key but only holders of the private key can decrypt the data if you use E2EE for all information exchanges.

Secure Your Data with E2EE from Wickr

As operational models now dictate that data should be accessible from any device and network, E2EE communications are essential in securing your data landscape. Wickr uses 256-bit E2EE for all communications between parties, including file sharing, voice and video calls, as well as instant messaging. Each file, message, or call receives a new random key that will take a trillion years to crack, making it one of the most secure information exchange systems available today.

For CISOs that want to implement the latest encryption best practices including E2EE, contact Wickr today.