• Français
  • English

Encryption at the time of widespread teleworking: some practical advice

At a time when uncertainty still predominates, both in terms of health in the face of a possible second wave, and in economic terms, organisations have at least one thing clear: teleworking is here to stay, either within them or at their service providers. In the first semester of 2020, 40% of the employed population teleworked, compared to… 3% in 2017!

On 26 May, we asked three specialists to share their experience and advice: Arnaud Martin, CISO of Caisse des Dépôts Group, Vanessa de Chambrun, Sales Manager France of PrimX, and Arnaud Laprévote, CEO of Lybero. Let’s have a look at their key messages.

Must we encrypt company data?

Yes. There is a clear consensus among our experts that with the lockdown, the most strategic information of the company, be it financial, commercial, or related to innovation or human resources, is being disseminated even more massively outside the company’s premises. For one simple reason: the data are stored and transmitted in an accessible way whenever they are not encrypted. You must thus always encrypt your data in the cloud, and the more sensitive the information is, the more you choose a regional, else national, cloud and encryption solution. This data encryption in the cloud is an important security issue at an organisation level, but it is overall an issue of strategic independence for Europe.

What should we encrypt?

Let’s be practical above everything! For Vanessa de Chambrun, knowing how to distinguish and classify sensitive data is far too difficult in real life. Encrypting all stored data is still the best thing to do. Arnaud Martin reckons that shared data, for example by email, is very difficult to encrypt, and users don’t accept to be blocked when using their email program. This risk must be accepted since it can’t be avoided. This doesn’t exclude a global vision on the types of sensitive data as defined by the GDPR, Arnaud Laprévote recalls. The European regulation helps to identify important data, from payroll to personnel files.

What was the lockdown’s impact?

In March, teleworking went from niche to mainstream. After the first period of massive digitisation of work, came the time of a better appreciation of the relative risks between attackers (perceived as the major risk), cloud hosting, system administrator and end users, Vanessa de Chambrun explains. As Arnaud Martin notes, executive committees have now become more aware after cases of information leaks that have been made public. Encryption has not been an issue per se during the coronavirus crisis, but its relevance has been reinforced. And Arnaud Laprévote to conclude: the system administrator, typically a millennial, is or must become the centre of attention of organisations.

Is the system administrator the forgotten victim in risk assessment?

Yes! Our experts are unanimous. It has been repeated over and over again that users are the company’s main risk. If they represent a danger, and a greater danger than the attacker, it is necessary to ‘closely follow’ the IT administrator. Does your system administrator have access to sensitive information? “This is wrong, they must be considered a threat,” Arnaud Laprévote emphasises. Arnaud Martin approves and insists: administrators must absolutely not have access to the content. If they don’t have a SECNUM training, they must be particularly supervised, and even closely monitored, by the SOC. The company must have a tough policy for the management of its service providers, with the decision to exclude staff if necessary. It is all the more important since the external IT manager is more the rule than the exception, Vanessa de Chambrun stresses, because 80% of administrators are external service providers. It is therefore crucial to compartmentalise the access to information in order to reduce this risk, which is largely underestimated.

By the way, how do you decrypt data?

Encrypting is the key, but so is knowing how to decrypt! For the latter, one needs technical capabilities, but also entitlement. The key question is: who can decrypt, or in other words, who has the right to access the protected information? This is where the idea of developing an internal data decryption policy becomes apparent. And since such policy affects both organisational and technical aspects, it provides the company with an opportunity to bring together its various departments, such as legal affairs, security, IT, and core activities. To ensure that information, whether encrypted or decrypted, is always protected.