Can a startup out of Boston convince the workforce to use data encryption software to safeguard information?
PreVeil, which as of early fall 2017 had approximately 1,000 users and upward of 40 companies trying out its beta version, believes it can -- by recognizing a stubborn fact about workers: Most of us can't be bothered about securing the reams of data we transmit digitally every day.
As Randy Battat, PreVeil's co-founder, president and CEO, pointed out, even in the face of massive data breaches, employees continue to flout basic security best practices, failing to safeguard passwords or change them frequently.
"One goal of PreVeil is to make encryption and data protection so easy that people use encryption for everyday things, as opposed to very specialized business applications," Battat said.
It's not only employee security practices that are not up to snuff. Software and hardware continue to have vulnerabilities that attackers continue to exploit, Battat added. And most IT organizations persist in deploying traditional defenses, such as firewalls and access controls, to combat the growing sophistication of bad actors. Even those companies using data encryption software usually aren't going far enough, he argued, because they use encryption only part of the time; for example, they encrypt sensitive data in transit, but not at rest.
Battat said PreVeil began with the assumption that any and all servers can be hacked, and IT security software needs to be easy to use. The result, he touted, is a new application for end-to-end encrypted emails, file sharing and storage that can withstand the inevitable attack, yet be easy to apply universally to sensitive data, he said. (See sidebar, for features.)
Use of data encryption software creeps up
How effortless must easy be to break down what, thus far, has been a resistance by businesses to use data encryption software?
Randy Battatco-founder, president and CEO at PreVeil
Certainly, enterprise attention to cybersecurity and, consequently, the use of security tools is increasing. Technology research firm Gartner has predicted that worldwide spending on information security products and services will reach $86.4 billion in 2017, a 7% increase over 2016 spending, and will hit $93 billion in 2018.
And part of that upward trend is the use of encryption technology.
Open source community Mozilla earlier this year reported that the average volume of encrypted web traffic on its open source web browser Firefox moved over the 50% mark, surpassing the average unencrypted volume.
Meanwhile, the "2017 Global Encryption Trends Study" released in April found that 41% of the respondents said their company "has an encryption strategy that is applied consistently across the enterprise," up from 37% two years ago. Only 14% of respondents said their organization does not have an encryption strategy. The study, sponsored by Thales e-Security and independently conducted by Ponemon Institute, polled 4,802 individuals spanning 11 countries.
So does the prevalence -- if inconsistent application -- of data encryption strategies signal that widespread adoption of encryption technology is just around the bend?
One of the prime targets for hackers is administrators whose super user privileges allow valuable access when systems are breached, said Randy Battat, co-founder, president and CEO at PreVeil.
To mitigate this risk, the PreVeil tool uses stored keys -- a 77-digit-number -- instead of passwords, and it doesn't put its decryption keys on the server where the encrypted data is stored. "The server can never ever see your data. And if the server can never see your data, that means someone who attacks the server can never see your data," Battat explained.
Furthermore, PreVeil's encryption software distributes actions across administrators to prevent a central point of attack; organizations using PreVeil need to establish approval groups instead -- one of their critical tasks being approval for requests for lost keys, Battat said.
All that happens in the background, while users are only required to essentially use a drop-down click to enable encryption, Battat said, adding that email recipients can easily add PreVeil technology to decrypt sent emails and shared files.
"It works within the way you're working," he said. "We need to make security easy to use. If you make users do backflips, they're not going to use it."
Use of encryption, daunting for many
No analysts are covering PreVeil yet, so cybersecurity and data encryption software experts said they were unable to speak specifically about its technology, whether its functions represented improvements over existing encryption products and whether PreVeil could successfully compete in an already robust market.
Garrett Bekker, principal analyst on the information security team at 451 Research, said most encryption vendors promise to make encryption easy, and they generally do have features that offer improvements over earlier generations of this technology.
"There are companies out there who have made claims that they've made it easier to use encryption, and they're valid. But it can still be a pain in the neck to use," he explained, saying that asking users to take even just one extra step can be too much. "It may seem trivial, but [many users see it as] inconvenient any time you have to ask someone to click on this or select this drop-down."
Bekker said other barriers remain to more widespread adoption.
"Generally, there are some forms of costs to doing encryptions -- either hard costs or soft costs, such as inconveniencing users, disrupting workflows or adding latency. And you can actually interfere with the functionality of applications," he said. Encryption software also can make searching stored data and archived data problematic.
"It's not to say those are problems that can't be solved, but it creates some challenges," Bekker said.
Moreover, he said encryption vendors have yet to help organizations get over one of their most vexing challenges: how to begin.
"Companies might have petabytes of data and tons of databases. They have data they don't even know about and unstructured data like Word files scattered all over the place. They don't know where to start," he said.
Some organizations start by running discovery scans to identify sensitive information that should be encrypted, Bekker explained, but even then most companies still view establishing a data encryption program as a daunting task.
Ron Culler, CTO of Secure Designs Inc., a managed internet security solutions firm in Greensboro, N.C., said he sees many companies that are reluctant to broadly use encryption technologies despite the wide availability of technology available. They'll use it for specific types of data or in certain areas of the business, but cost and complexity often keep companies from using it more extensively.
Culler said companies are also hesitant because it can be complicated to implement and cumbersome for the business to use. Many companies also don't have the skills sets on staff to implement and manage it, even though today's technology isn't as resource-intensive as it once was.
He also noted that it's possible for data encryption software to allow in malicious code, which won't be detected until it's unencrypted. "If you don't have visibility into what's being sent, when it executes, it's possible you could execute something malicious," he explained, saying it's a scenario that can deter more widespread use of the technology.
Plus, encryption generally won't stop rogue employees who deliberately leak data or careless employees who go around policies and thereby expose sensitive information, either, he said.
Considering all this, Culler said businesses are right to see encryption as "a solid piece of security policy," but one that needs to be considered as part of an enterprise-wide program that addresses where it's really needed based on cost, complexity and risk.
Battat acknowledged that PreVeil's technology is not a panacea. It will not prevent someone from accessing information on a lost or stolen device that's not protected by passwords, access controls and the like. And it doesn't prevent users from forgoing the use of its encryption technology. Still, the PreVeil team is convinced there is huge upside in encryption software that's easy to use.
"Of all the things that go on in business, very, very little is encrypted," Battat said. "Encryption ought to work with the way you work today, and so maybe -- if it was really easy -- we could go instead to the vast majority of what happens in business being encrypted." The company plans to release its commercial version during the fourth quarter.
Pros vs. cons of using encryption
Hackers use encryption to hide activity
Shifting geopolitics driving more use of encryption