6.4 quadrillion years! That’s the estimated time it would take to decrypt your data using current classical computers. With quantum computing on the horizon, we need to reevaluate data security and ask ourselves: Can encrypted data be hacked?
Encrypted data can be hacked or decrypted with enough time and computing resources, revealing the original content. Hackers prefer to steal encryption keys or intercept data before encryption or after decryption. The most common way to hack encrypted data is to add an encryption layer using an attacker’s key.
The best way to protect yourself is to stick to some crucial guidelines.
How To Stop Encrypted Data From Being Hacked or Stolen
Here are some guidelines for individuals.
#1 Only Use Your Own Devices
If you’re handling sensitive data, it needs to be on your personal computer or smartphone. Using someone else’s device, or worse a public computer, jeopardizes your data, whether encrypted or not.
#2 Keep Your System and Software Updated
It’s age-old advice, but it holds especially true when your handling data encryption.
Most software requires frequent fixes for bugs or errors in the code. Keeping your software and operating system updated ensures you receive patches for any bugs that might reveal decrypted data.
Operating systems and many installed software packages regularly check themselves for updates. But don’t rely on this 100% of the time. Schedule a day once a month to double-check your system is up to date.
#3 Check You’re HTTPS-Connected
Most people accessing a website expect that data exchanged between the user’s browser and the server is encrypted. Unfortunately, there is between 4 and 24% of sites that serve web content insecurely according to Google’s Transparency Report.
Google Chrome and other browser makers include a warning in the address bar when all or part of your communication is not encrypted. At a minimum, form the habit of looking for a lock icon and
https at the beginning of the address.
Alternatively, you can use the Electronic Frontier Foundation plug-in HTTPS Everywhere, which will attempt to change insecure connections to the encrypted HTTPS protocol.
#4 Know The Programs You’re Using For Encryption
We already discussed that browsers include code that encrypts your data before being sent to the internet. But there are times to add another layer of encryption to your internet connection by using a virtual private network (VPN). This additional piece of software installed on your device forces all communication to the internet is encrypted.
Your password manager is also encryption software. You entrust all of your passwords to one app, so carefully select one that fits your privacy requirements. For those who want a company with a customer support, check out our Recommended Tech page for the password managers we like.
Finally, you may want to encrypt specific files or folders of data. Software like Cryptomater or Veracrypt provides an additional layer of encryption for files synchronized to online storage or saved to your local device.
#5 Trust Yourself Not The Cloud
If you store data online, don’t depend on your cloud storage provider to secure your data. Encrypt your files before uploading them to the internet using one of the previous sections’ file encryption apps.
The same goes for securing email. While you can use encrypted email providers like Protonmail, email apps like PGP email automatically encrypt all emails before leaving your computer or mobile device.
#6 Handle Your Encryption Keys Properly
Hackers know that breaking modern encryption is mostly impossible. It’s more effective to capture encryption passwords or key files.
Securely store your decryption keys in a password manager, segregated offline storage, or even in an analog format like on paper.
Never share your keys or transmit them online.
#7 Remember What You’re Protecting
Ransomware is software that over-locks your encrypted files instead of trying to decrypt them. Hackers may not want access to your data. They just want to control it. By encrypting your already encrypted files with their keys, they’re preventing you from accessing them. Overlocking is similar to a self-storage company placing an additional lock on the storage units of non-payers.
#8 Use Full Drive Encryption On Your Device
Most computers and mobile phones have full disk encryption, which protects the device’s storage when it’s off.
While smartphones have this option enabled by default nowadays, you’ll need to enable this on desktop operating systems manually.
#9 Your Advanced Options
Serious users and use cases call advanced security operations and additional equipment.
Air-gapped computers that are not connected nor have the hardware to connect to the internet protect encrypted data thwarting online attacks. They also enforce compartmentalization by separating specific tasks on separate equipment.
A hardware security module (HSM) is another way to protect encryption keys by isolating key generation, management, and deletion from encryption processing.
Image of a Yubico YubiHSM.
For businesses, do all of the items for individuals plus…
#10 Run Penetration Testing Regularly
Contacting a security company to regularly perform penetration testing helps ensure your business procedures and data handling practices align with industry standards.
#11 Avoid Offering Intranet Wi-Fi
It’s easier to control virtual property like encrypted data when you control physical access to it. By avoiding wireless access to your internal network or intranet, you increase the difficulty of data breaches by requiring an attacker to be located within your office or physical space.
Establish a second, heavily-firewalled, or separate network to offer Wi-Fi internet access to employees and visitors.
#12 Physically Segment Networks
Physically separate your internal local area networks (LAN). Dedicate one for handling sensitive data (red net) and another LAN for day-to-day data processing (blue net).
Yes, this means having two sets of wires, routing equipment, and maintenance. Your red net is for collaborating over encrypted data should be much smaller and limited to a small number of employees. Additionally, there should be no internet subscription for the red net with external data transfer occurring across securely-handled USB drives between designated computers.
#13 Limit Encrypted Data to Select Equipment
A limited-access red net and connected red computers dedicated to handling sensitive encrypted data should be available to select staff.
Restrict login and physical access to the machines and wiring. Dedicating specific rooms and shielded ethernet wiring goes a long way to protecting confidential information.
#14 Limit Physical Access to Secure Network
Physically limiting employee access to a physically separate network of computers raises additional hurdles to attack. Add door entry tracking and two-factor, secured logins to a need-to-know staff that completed security training.
#15 Require Security and Policy Training
Mandating all employees take general cyber- and physical security training shortly after hiring establishes a baseline knowledge around secure data handling. Providing annual updates or expanded education to employees hardens the weakest link in data security: humans.
For staff that regularly come in contact with sensitive and encrypted data, require elevated training around security operations (SecOps). Upgraded access to your red net must hinge on these additional courses on an ongoing basis.
The data security company, Crypteron, published an in-depth post detailing enterprise-level encryption mistakes. It’s a good read.
These guidelines are not an exhaustive list, but implementing at least some of the above guidelines will keep your encrypted data safer.
So why is everyone using encryption in the first place?
Why Data Is Encrypted?
Data is encrypted to protect the information from unauthorized access. Encrypting data in static storage and during transmission protects privacy, ensures integrity, and validates the trustworthiness of the encoded material. Any content may be encrypted, making it incomprehensible.
It’s no secret (joke intended) that everyone has private information. Some of your data is less-sensitive. But conversely, other information like financial records and personally identifiable information (PII) lead to real-world harm if revealed to the public.
You can have data without information, but you cannot have information without data.Daniel Keys Moran, computer programmer & science fiction author
Keeping all of your information encrypted when at rest and stored on digital drives protects it if your device or digital media is lost or stolen. It’s even more important to encrypt data while in transit, being sent across the internet. Data in motion should have 2-3 layers of encryption to protect it.
Assuming we’ve sold you that you should encrypt your data, which types of data should be encrypted, and when is it okay to skip the additional step?
Is encryption safe?
Generally, encryption is safe. Data transmitted and stored with encryption is safer than when left unencrypted. The average user uses encryption automatically many times a day when using a web browser or mobile app. Manual file encryption is safe with responsible handling of the decryption keys.
Employing encryption manually does take a bit of knowledge, but with well-designed tools, the complexities are often automatically handled. In fact, users should consider using encryption on more than what they may realize.
What Data Should Be Encrypted?
All data should be encrypted. Even unimportant information can, in aggregate, unintentionally establish accurate facts. Provide special attention to encrypting personally identifiable information (PII) or any data that will harm people or businesses if revealed.
- All your internet traffic, especially within browsers, should be encrypted. Only uses sites that have a lock icon and have the “s” in the beginning part of the address
- All your text messages should be encrypted. Remember that regular SMS and MMS messages are not encrypted and worse. Refer to our article on secure text messaging.
- All your emails, mainly containing sensitive information and especially sent between email providers should be encrypted.
- All your files should be encrypted:
- when stored on your computer or online/cloud storage,
- when stored on your smartphone,
- when stored on backup drives.
- All your devices should have full hard drive or storage memory encryption turned on to protect the data when the device is powered off.
- All your company data should be encrypted, including but not limited to:
- customer data especially personally identifiable information (PII),
- database columns/values especially PII or financial records,
- connection information and configurations,
- files on network shares,
- backups for disaster recovery,
- server-to-server communication even within a company network,
- intellectual-property including R&D projects,
- financial and legal files,
- scans to PDF or image files,
- storage on and communications with IoT/smart devices
All encrypted data can be hacked. As we develop more powerful computers and higher-order mathematics, the spotlight gets more intense on the weakest link, the humans using the encryption. It’s essential to understand, develop, and use good information security practices in addition to worrying if encrypted data can be hacked.
Sadly, governments worldwide are attempting to ban and break encryption through state-sanctioned hacking or legislation like the United States’ EARN IT Bill.