Throughout history, men and women from all walks of life have recorded their incredible exploits in one way or another. From cave walls to the printing press, our methods of transcribing our stories continue to evolve. Unfortunately, while we now have one of the ultimate tools with which to record data; the humble workplace computer, our data protection practices are a far cry from "ultimate".
Today's men and women will record a very different kind of exploit, one which enables fraud and theft. This exploit in particular looks like a brightly-coloured square piece of paper stuck onto a computer monitor or cubicle wall, with a message like "Sage password = PasswordSage123". Further evolutions of this worrying data security practice include: emailing passwords in plaintext, relaying passwords over the phone, sending sensitive information through channels that could be viewed by others, or a whole heap more.
Perhaps a thought exercise on your next coffee break could be imagining all the data held about yourself that you'd prefer others not see. Bonus points for coming up with something more sensitive than a national insurance number (I've seen this happen).
All of this isn't to say that we are now vulnerable to fraud because our personal data is sitting around somewhere unsafe, as for the most part, your data will be safe because it would be encrypted. Encryption scrambles data into something unreadable, and it can only be unscrambled if sent to an intended recipient. Because of this, sensitive data kept in storage will typically be encrypted and is therefore unreadable.
An authorised user on a system will be able to read this data because they will be logged into an account that permits them to view the data in an unencrypted form. This is all well and good, but the problem arises from users unknowingly circumventing this entire process.
Consider this fictional scenario: You require a new user account to access a resource, and ask your MSP to make this account for you. They create the account and log the credentials in their vault (which is encrypted).
So far everything is running smoothly, but where it all falls apart is when the MSP emails you the credentials for this account in plaintext (unencrypted text). Now these credentials can be seen at any time by whoever is logged onto your account, by the user who sent them, and by potential bad actors lying in wait to intercept an honest mistake like this one.
While the problem is that the MSP sent these credentials in an unencrypted form, this scenario could happen in real life because the user was simply unaware of the security risk this poses. With encryption ensuring the confidentiality and integrity of a piece of data, placing this data into a semi-permanent place (an e-mailbox) now means the integrity of this data is compromised because a second copy exists that is readable by any user who may see it.
And now we're back to the sticky note stuck on the computer monitor, though now a virtual sticky note stuck on your email account. Plain to see, and could easily be picked up or read by someone who realizes its existence.
Despite similar scenarios occurring all the time, there is hope. Emails can indeed be encrypted, and data integrity can be maintained. One method of achieving this would be using Mimecast's Secure Messaging Service for Email. It provides server-to-server encryption of email files and can be easily integrated into Microsoft Outlook. With secure messaging being either user-initiated or policy-driven, messages can be secured as and when needed, or enabled all the time, or for specific uses.
With Nitec having been partnered with Mimecast since 2014, we're making good use of this service. So before you go making a new sticky note collage about your last 13 passwords, make sure they're encrypted (Plus, X6$mke9;Qf3 is a lot more difficult to remember than OfficePw1990). To hear more about Mimecast's Secure Messaging Service, contact your Nitec account manager.