IT Briefcase Exclusive Interview: Decoding Encryption with Sophos’ Dan Schiappa

With rapid advancements in nearly every field of IT, few things in technology are constant from one day to the next. One area that isn’t changing, however, is the continuous presence of threats to business data. Despite the high level of awareness companies have in terms of the threats they face, news about data breaches comes far too frequently. In 2014, for example, more than 700 million records were exposed, according to the 2015 Verizon Data Breach Investigations Report. And while it’s often considered a problem for large enterprises, 53 percent of breaches occur in organizations with fewer than 1,000 users.

Data breaches may originate from an outside attack or simple human error, and because we average nearly three devices per person for work productivity, there are a lot of potential protection gaps as data moves between mobile and desktop endpoints, and through the cloud. To combat the risks of improperly secured data, encryption is an important layer that every company should consider using to bolster its security profile.

The recent State of Encryption Today survey produced by security firm Sophos sheds some light on today’s security landscape and how encryption is viewed and utilized by IT professionals. To get a handle on the topic and the results of the study, we contacted Dan Schiappa, senior vice president and general manager of Enduser Security Group at Sophos, and asked about some of the current topics being addressed by businesses today.

• Q: What kind of risks do companies face when it comes to data breaches and the associated consequences of a breach?

A: While the specific challenges vary greatly and are constantly changing with security vulnerabilities and regulations, there are four broad categories of data breach risks that companies need to consider:

1. Hacking. This is the most common threat when it comes to data breaches, with malicious groups actively trying to exploit the security weaknesses of companies to steal corporate data or employees’ personal information. Then they either sell the stolen information, or they use it to gain competitive advantage. With only 45 percent of companies encrypting their intellectual property, according to our survey, and 43 percent always encrypting employee human resource information, this is a real concern.

2. Unintentional disclosure. This is an especially painful type of data breach because it can be easily prevented. Believe it or not, employees accidentally emailing files to the wrong recipients or leaving laptops, devices or USB drives in busy airports are together the second largest cause of data breaches.

3. Regulatory compliance. In some cases, it doesn’t matter how data is exposed; there are increasingly tough regulations in place, such as HIPPA and the new General Data Protection Regulation (GDPR) for any company holding data on citizens in Europe. Failure to comply with these regulations can result in enormous penalties that could potentially bankrupt a business.

4. Cloud security. We found something interesting in our encryption study. While 84 percent of businesses expressed concern about their data being stored in the cloud, almost as many – 80 percent – still use it to store their data. The concern with public cloud storage in particular is that it combines the other risks mentioned above: The service may be prone to hacking, as protection is out of the direct control of the client. Users may procure their own cloud service without corporate approval, exposing data. And depending on where the data is actually stored, it can pose regulatory compliance issues.

• Q: What advantages does encryption have over other security solutions? What should organizations look for in an encryption solution?

A: While other security measures protect networks and specific services, which is important, the advantage of encryption is that it secures exactly what you need to protect the most – the information. Companies looking for effective encryption should opt for a solution that meets these requirements:

– Transparent and always on capability for peace of mind and ease of use

– Integration with other security tools for protection across desktop and mobile endpoints, as well as local and cloud-based storage. We found, for example, that only 29 percent of companies always encrypt smartphones, while 70 percent encrypt their servers

– The capability to automatically revoke keys when a security incident is happening and restore them when it’s over

– Compliance with the regulatory standards in a given industry, from HIPAA to PCI to GDPR

– While capabilities are the primary consideration, usability is key as well. Users won’t adopt a solution if it’s too complex. A solution like Sophos SafeGuard 8 addresses all of these concerns and changing the encryption game for widespread adoption.

• Q: What are the different approaches to encryption, and which do you recommend?

A: Some companies opt for full disk encryption, while others prefer a file-based approach. Full disk encryption, of course, secures the entire disk, keeping its content safe in the event the device is lost or stolen. This, however, doesn’t protect the files once the device is booted properly, so this is where you need file encryption. According to our research, file encryption is slightly more popular, with 37 percent of companies using it. File encryption, on the other hand, works with individual files and keeps them secure regardless of what devices send and receive them and wherever they are stored. A combination of both is really the best option for today’s companies, and on a positive note we found that 36 percent are practicing this more powerful approach.

• Q: What is stopping companies from using encryption?

A: We found that the number one reason is the cost, identified by 37 percent of our respondents. This shows unfortunate shortsightedness on the part of companies, considering initial cost outlay without taking into account the financial savings in the long run of fewer expensive breaches. We also found that some companies were concerned with a perception that it would impact performance, which is not a serious concern given today’s advanced tools. Finally, some companies reported a lack of knowledge regarding how to deploy encryption. That can be overcome simply, by using a product that is designed to make the complex simple and/or by bringing in a vendor and qualified channel partner for guidance.

• Q: Where should organizations start if they want to deploy encryption in their own business?

A: It’s really a matter of figuring out where you are and what your needs are. Since encryption is all about the data, you first need to ask yourself how that data moves around in your organization. You might send important files via email, USB drive or a cloud-based file storage service. Your employees may use desktops, laptops, smartphones, tablets or any combination of these devices.

Then you need to consider the apps and individuals with access to your data. Various utilities may increase productivity, but have other costs in terms of exposure to potential data breaches. Meanwhile, certain employees have access to different levels of confidential information depending on their position within the company, and it must be secured accordingly.

You must also learn what compliance regulations that may be applicable to you. You might be surprised by what you find.

Answering these questions will give you a place to start and help decide what approach is right for you. If your organization doesn’t have the manpower or expertise to tackle your encryption goals, find a reputable partner to help you achieve your goals of maintaining productivity and security.

Dan Schiappa, Senior Vice President and General Manager, Sophos Enduser Security Group

Dan Schiappa joined Sophos as general manager of the Sophos Enduser Security Group in 2013. He is responsible for the company’s broad portfolio of enduser security offerings, including endpoint, mobile, server protection, and encryption and data protection.

Most recently, he served as senior vice president and general manager of the Identity and Data Protection Group at RSA, The Security Division of EMC. At RSA, Schiappa managed a business unit with annual revenue over $500M, and he had responsibility for Authentication, Identity Management, Anti-Fraud, Encryption and Data Center Operations. Previously, he held several GM positions at Microsoft Corporation, including Windows security, Microsoft Passport/Live ID, and Mobile Services. He was the key business leader for Microsoft’s BitLocker and Rights Management services.

Prior to Microsoft, Dan was the CEO of Vingage Corporation, a video server provider acquired by L3 Mobilevision, and was an executive at PictureVision, an online digital imaging company acquired by Kodak. Dan also held senior technical roles at Informix Software and Oracle Corporation.