Image: iStock

The debate about encryption has shifted back to the realm of law enforcement, in the wake of last week’s attack in Paris. Though the attackers use of encryption is still being evaluated, public officials and law enforcement agencies have expressed renewed concerns about private communication applications.

It’s easy to understand why policy makers and the police believe encryption hampers their work. While PGP and proper encryption can be a kludgy process, new applications like Telegram, Wickr, and Cyber Dust make discreet messaging and encryption accessible to a market of mobile consumers and criminals.

However, encryption is also a critical tool for business. Though the debate about encryption can be confusing, a recent report by ZDNet found that encryption is now used by one in three small and mid-size business, and that security now consumes nearly 15% of IT budgets.

I asked two security experts the key factors to consider when determining an encryption policy for your organization.

Why should the business be concerned with encryption?

John Gunn, vice president at VASCO Data Security: “This is akin to asking why you should care about locks on your doors. Not everybody who wants access to your information has good intentions.”

Travis Smith, security analyst at cyber threat protection firm Tripwire: “From a public standpoint, privacy is the main concern in the fight over encryption. In America, we enjoy many freedoms, including freedom of speech but more oppressive regions of the world free speech is not available. If we cripple encryption mechanisms (eg, manufacturers providing the government ‘keys’ to access information), we would live in a world where there are no secrets and effectively no privacy.”

What should you look for in good, secure communication tools?

Gunn: “First and foremost, [tools] have to be easy to use for both the sender and the recipient, or they just aren’t practical for everyday use by the average consumer.”

Smith: “The first component I look for in any tool housing sensitive information is end-to-end encryption. This simply means that the data is encrypted on the sender’s device, and decrypted on the receiver’s device. This approach significantly reduces the likelihood that any party between the sender and receiver can read the communications. The second critical feature of encrypted tools is the use of up-to-date encryption standards, such as AES-256. Using an encryption mechanism with known vulnerabilities is almost as bad as no encryption at all.”

Both Gunn and Smith mentioned that with major messaging apps in particular, make sure to read the documentation and fine print. Double check that the apps do not leave data caches stored locally or in the cloud. Verify that your private data won’t be used for marketing purposes.

For example, apps like Snapchat and Skype work fine for conventional communication. Both, however, have several well-documented security holes.

What are the warning signs of poorly encrypted apps?

Gunn: “The average user has absolutely no means to measure the effectiveness of an encryption application.”

Smith: “The red flags of poorly encrypted apps are usually the lack of a privacy policy, no mention of security in the privacy policy if it exists, and no visibility into the encryption and security measures implemented by the app or service. Although a lack of these isn’t a definite indicator of the tools security it is a warning sign that the company doesn’t care about the security or privacy of your data.”

What is a sensible personal policy for privacy?

Gunn: “The answer is a moving target influenced by two factors – the prevailing level of fear at that moment in time, and how much people trust their government to act responsibly with unconstrained access to all of their communications.”

Smith: “Transparency is key for consumer encryption. My recommendation for consumer-based services utilizing encryption is to have a clear and concise privacy policy that states exactly what you do with customer data, who it’s shared with, and how it can be accessed by authorities. Vendors can go one step further by being transparent about how data is secured. You don’t want to give away all the secrets of internal security measures, but stating how data is encrypted is an easy way to ease consumer concerns over data security. Consumers are more aware of the many ways their data can be misused by organizations and governments and this awareness is starting to trickle over into behavior. Data is the new currency in the digital world, but unfortunately for unwary consumers, security/privacy investments consistently lag behind functionality and pricing concerns for most consumer devices.”

Learn More:

See more here¬†–¬†

Security experts: Every business should have a security and encryption policy