Encryption Is Not THE Answer


In regard to Cybersecurity - which for now, we will define as "the practice of securing your electronic assets," encryption is only a piece of any over-arching solution or defense strategy. Government, business, and personal, encryption is [a part of] the answer to some attack vectors but certainly not all of them. The attack vectors in which encryption are a part of the solution are:

MITM/Snooping (Man-in-the-middle attacks, AKA The Starbucks/Airport/Public WiFi favorite), Physical Access/Theft, and Memory Access/Dumping.  These specific attack vectors (and all others) are defended best by a layered approach. Part of the layering of these specific attack vectors includes encryption. Encryption in transit (VPN), encryption at rest (Disk Drive Encryption - Example: BitLocker), and encryption in use (Random Access Memory [RAM] Address Encryption).

For hackers, Phishing, Ransomware, and Social Engineering Campaigns are so effective and lucrative because most businesses give every employee the cyber equivalent of a Master Key

As attack vectors focus more on people and social engineering, encryption at different levels may not make much a difference to some attack vectors, which are the most common attack vectors of today.  Protection against this specific attack vector would incorporate not necessarily encryption as the chief layer of the defense, but restricting users to the absolute minimum security and access levels to perform their job function.  Unfortunately, social engineering and ransomware campaigns are so effective and lucrative because most businesses give every employee the cyber equivalent of a "Master Key" when they:

  1. Don't need it (Your intern doesn't need access to HR and Accounting records, but I bet they have it)
  2. Often lose it (password compromised)
  3. Hackers duplicate the master key (once they have your password, they effectively went to the hardware store and made several copies of your master key, thus perpetuating their access to all assets of their victim).

Encryption does not defend against these most common attack vectors of today. Having said that, encryption should NOT be cast aside as unnecessary, as with out it, all attack vectors become far more effective/lucrative for hackers, and make you a plush, very soft target. Don't be a kitten. Adopt the defenses of a Lion.

In closing, encryption is ONE layer of effectively defending against CERTAIN attack vectors, which in the scope of a 360 degree attack surface, may assist in defending about 30% of it. Do not covet it as the end-all-be-all of cyber security. And do not neglect it.

Subscribe to our newsletter