Guest Comment: What’s in a password?
Organisations are waking up to the need to deploy better encryption techniques to their data, but better security can have a sting in the tail in the event of a litigation or regulatory request, writes John Shaw*, Director, Digital Forensics at Consilio.
The growing awareness of cyber security and data protection issues by companies is clearly a good thing. Companies and other organisations are introducing or improving on a range of security measures for their corporate data, most notably the increasing implementation of sophisticated data encryption for corporate documents.
Where in the past many critical documents and messages were stored and transmitted unencrypted, it is fast becoming the norm for companies to ensure that their critical data is fully secure as data breaches increasingly make the front pages and data protection rules get tougher. For many companies however, there is one big potential pitfall created by this trend – getting access to their own documents in the event of litigation or a regulatory intervention. Speed and transparency are usually of the essence and being able to easily access and review a company’s documents is of critical importance.
The irony is that while their data may be safer than ever, companies are becoming dangerously exposed to adverse court judgments, wasted costs orders and regulatory opprobrium due to their potential inability to access the evidence required to defend their positions. The encryption of key documents can slow this process down considerably or even prevent it entirely. This is particularly common where documents have been encrypted by their individual creators – often using the encryption functionality provided by Microsoft Office – and there is no simple way of finding out what the password is if that person is no longer with the company.
In these situations, e-disclosure experts can apply specialist decryption software to break the passwords by deploying a “brute force” attack, trying every possible password in turn. As algorithms designed to defend against these attacks become more common, this increasingly requires additional hardware firepower to complete the processing within an acceptable timescale. However, depending on password strength, document type and the encryption methodologies employed this often achieves only partial success. Moreover, the outcomes from this process are becoming more uncertain over time as encryption algorithms become harder to crack and more secure passwords are insisted on.
So what can organisations do to keep their data safe and ensure that they are litigation-ready? As so often, it pays to be wise to these issues before the event.
Firstly, many of these problems can be averted by prohibiting individual staff from protecting their documents with personal passwords or using an encryption methodology that the company does not have access to. The biggest ‘culprit’ in this regard is Microsoft Office, but it is possible to set up Office to prevent the built in encryption function from being applied. Instead, companies can deploy a separate encryption tool which can be made available across the corporate network. The crucial element here is that such systems will also have an administrative encryption key which enables the company to access these documents if required, regardless of the passwords attached to them by individual employees.
On a slightly separate but related issue, later versions of Microsoft Office also come with Information Rights Management tools to prevent the distribution, editing or copying of documents where required, which can prevent another bête noire of e-disclosure professionals, the proliferation of different versions of the same source document. Alternatively, some organisations may prefer to prevent any encryption of documents by staff, instead creating secure restricted areas of their networks where unencrypted documents may be stored and shared in safety while remaining easily available to the company in the event that they are needed as evidence.
When it comes to the crunch, the judiciary and regulators will want to see that reasonable efforts have been made to access key documents and, for now, will often accept that encryption may render some important documents inaccessible. However, as they become more aware of what constitutes good information governance in this regard, their patience is likely to wear thin particularly if the company concerned is in a heavily regulated or litigious sector of the economy. When it comes to determining corporate encryption policies, prevention really is better than cure.
* John Shaw is Director of Forensics at Consilio with responsibility for the European Digital Forensics group. Prior to joining Consilio, John worked as an IT security consultant in the private sector and computer forensics investigator with the Sussex police.