What do business executives need to know about encryption key management best practices? As it turns out, CEOs don’t need to know every tiny detail about encryption and the tools used to protect encryption keys, but they do need to know enough to protect their business and mitigate major risks.
Just like financial and legal best practices that business executives are tuned in to and monitor weekly, if not daily, business leaders need to have a heightened awareness of how their IT departments are handling both their own and their customers’ sensitive data. Sensitive data such as credit card information, social security numbers, protected health information (PHI), and other personally identifiable information (PII) such as names, addresses, email addresses, and passwords needs to be protected as mandated by industry regulations and many state laws. Unencrypted data or encrypted data with poorly protected encryption keys is a ticking time bomb that could lead to a major data breach.
I recently sat down with Patrick Townsend, Founder and CEO, to discuss the critical security risks executives face, how to start a conversation on data security with your IT team, and the encryption and key management best practices that will save your company from a data breach.
Patrick Townsend explains the importance of protecting encryption keys:
“Executives need to know that A.) they might not be encrypting the data that they need to, and B.) if they are encrypting that data, they might not be protecting their encryption keys, which are the core secret that have to be protected the right way. When you leave the house in the morning and you lock your door, you don’t tape the key right next to the lock. Your house key would be easy to find when you come home, but we all know that’s a bad practice. In a similar way, a lot of organizations are not implementing best practices around protecting encryption keys and are putting their business at risk.”
The major risks associated with unencrypted or poorly encrypted data are these:
How does an organization properly encrypt their sensitive data? They need to follow best practices such as deploying AES encryption and NIST FIPS 140-2 compliant key management, as well as important practices such as separation of duties, split knowledge, and dual control.
Encryption key management best practices will:
To learn more about the business risks of data security, download our free eBook "Turning a Blind Eye to Data Security: Mending the Breakdown of Communication Between CEOs and CIOs" and learn about the business risks associated with unprotected sensitive data, tools and resources to begin the discussion about data security in your company, and actionable steps you can take today.