Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
Bedrock Managed Service
Scalable support and on-demand expertise that seamlessly integrates with your existing operations.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Partners
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Careers
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Blogs
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
6 October 2023

Encryption

 

Data Privacy: Why do you need encryption?

Encryption in cyber security refers to data conversion from a readable format to an encoded format. This takes place in data transmission between systems where the data can be read and processed after it has been decrypted. Encryption has become an important factor in organisations because it allows data to be processed in a secure manner while preventing malicious actors from accessing confidential information.

Everyone, every day uses encryption, whether you are messaging on WhatsApp, online shopping, or simply reading this article over a secure HTTPS connection, it is a key component of our lives. As for an individual, using messaging apps such as WhatsApp, end-to-end encryption is built within the applications to encrypt messages, photos, videos, voice notes and messages. By encrypting the data, Meta assures its users that their data is strictly confidential and in case of breach, users’ data cannot be read if accessed by a threat actor.

If we look inside an organisation, encryption forms part of services being used on a daily basis such as VPN connections, card payment services, password protection services, end-to-end encrypted network connections, encrypted access to servers, computers and cloud service and even Microsoft services. Encryption in those cases will run in the background to provide a secure traffic and communication between users and the required service. For example, an email sent from one user uses secure and encrypted transmission before the receiver opens the email. By applying encryption into services, providers reduce the risks of data masking and manipulation by an advance persistent threat.

A threat actor targeting systems will do anything to get inside an organisation’s systems, if successful, they would scour through networks and look for plain text communications between systems and servers. If encryption is applied within the systems, the Advanced Persistent Threat (APT) could only see encrypted traffic, which makes it harder for the APT to inject any malware and cripple the organisation’s data. In the past APT has accessed information and conducted a ransomware attack by encrypting files and systems while denying users from performing their daily activities. To reduce the risks of an APT accessing an organisation’s infrastructure and systems, organisations should:

  1. Train members of staff to use encrypted password managers. This helps with reducing the risk of a user writing username and passwords on notepads and saving them on shared drive
  2. Test that controls are in place by enforcing password managers are being used by everyone working within the organisation.
  3. Implement strong encryption between systems to protect traffic between servers and users. For example, securing network communication between systems to prevent packet sniffing
  4. Patch any vulnerabilities for software and hardware that use encryption and check for regular updates.

The UK GDPR requires organisations to process data in a secure manner; with that said, organisations are recommended to have policies that outline how encryption should be implemented and maintained, as well as show that staff are aware of encryption. The Information Commissioner’s office (ICO) recommends that encryption should meet certain standard while transmitting personal data. On the other hand, PCI DSS encourages organisations to take adequate precautions to protect cardholders’ data. Some of the advice provided are: to build secure networks; perform vulnerability management programs; implement strong access controls; monitor and test networks; and maintain an information security policy.

 

How can Turnkey help organisations with encryption?

Understand business processes requiring encryption

Understand areas in businesses where encryption is being used and verify if the traffic is secure, for example, card machines, interconnected devices and cloud connections. This cryptographic protocol exercise can help organisations check their level of compliance as they report to regulatory bodies such as GDPR, PCI DSS. This exercise can also help auditors to identify gaps within the infrastructure as well as justifying that encryption is implemented safely.

Encryption between SAP systems

As SAP Security experts, Turnkey can help with verifying the encryption configuration between end-to-end SAP Systems by checking the Remote Function Call (RFC) connection. From this analysis, secure connections between systems can be analysed to check for any misconfiguration. In addition, by conducting red teaming exercises, we help organisations to understand the amount of data that could be exposed to an APT, should there be an attack. By outlining the gaps, we help organisations to narrow down the risks of a data breach.