It’s common these days for morality and practicality to collide when debates rage over the speed and direction of technological evolution.
From artificial intelligence to social media, the biggest developments always have their backers and detractors. Some push the narrative of technology enhancing our working lives, how we learn and communicate. Others question the impact on wider society, on issues of privacy, truth and trust.
One of the tech advances to cause a huge moral conundrum to society has been end-to-end encryption (E2EE).
It’s the technology utilised by messaging apps such as WhatsApp where the sender’s information is encrypted on their device or system and can only be decrypted by the receiver, preventing a third party accessing the data as it makes its journey between the two.
Backers say this has been a huge boon to privacy and data security. But detractors have warned of the dangers of this tech being used by nefarious types, putting their messages outside the reach of law enforcement and security services. It’s a debate that will continue to rage.
But one sphere where end-to-end encryption has no ambiguity is in cyber security and the vital importance it plays to businesses – especially small and medium sized enterprises.
There are simply no negatives to using this type of technology to secure a company’s data at both ends. No moral quandaries, no debates about privacy. It is quite simply one of the best ways for a company to protect itself against cyber threats.
So how does it work in a cyber security context?
E2EE - also known as asymmetric encryption or public key cryptography - uses cryptographic keys which encrypt and decrypt data at either end of its journey. The method involves using a public key and a private key. The public key is generated and shared, and anyone who has access to it can encrypt a message and send it. But the message can only be decrypted using the corresponding private key, also known as the decryption key. The keys are generated as a pair and sent together.
E2EE provides a vital line of defence against man in the middle attacks (MITM) where cyber attackers insert themselves between two points in the system to steal or change data.
Not only does E2EE protect the company, it also protects the privacy and sanctity of customer data, which - if exposed - can lead to serious reputational damage for the firm and punishments from regulatory authorities, for transgressions such as breaching the EU’s GDPR regulations.
E2EE also helps protect staff from phishing and whaling attacks - social engineering scams where individuals are tricked into granting access to data. Because staff do not have access to the encryption and decryption keys (the way they would, say, passwords), they can not provide an unwitting entry point into the system.
This type of encryption is particularly vital when it comes to sending and receiving emails, which themselves present the biggest threat to smaller companies in relation to phishing scams. Indeed, upwards of 90% of sensitive data about a company, its employees and customers are found on emails. Encrypting those emails therefore is an absolutely vital form of defence.
This type of asymmetric encryption has benefits over other types of cyber security measures which use symmetric encryption, such as simple passwords, because that information can be stored on a company system and can be stolen via social engineers or hackers.
Implementing E2EE may seem a daunting concept to grasp but the benefits are incalculable. E2EE can be found on some built-in software but is also available through third party software which can be easily installed on company computers and other devices. This type of software can easily provide end-to-end encryption for data such as emails in a way that’s easily accessible for small to medium companies, which themselves may not have large IT departments and budgets.
But it should also be noted that not all E2EE is created equal.
The most common form - where public and private keys are generated together, and where the public key is stored on a system – are still vulnerable. If that private key is accessed by a hacker on a compromised server, all of the users who have received public keys become vulnerable and could have the corresponding information exposed. A solution to this is to use a software which generates crypto keys locally on demand. Technology such as EB control enables the original data owner to retain control of who, when, where and how their data can be accessed.
It’s clear that with the rise of remote working presenting a larger attack surface for bad actors, secure end end-to-end encryption is a more vital tool than ever. It enables companies of all sizes to better ensure their own data and that of their employees and customers is not compromised. It lessens the likelihood of man in the middle attacks and provides a vital added layer of defence. But this type of defence is contingent on the security of the keys themselves, with distributed ledger technology helping to add a vital added layer of protection to ensure those keys are not compromised.