Protecting critical data is more crucial now than it has ever been. The FBI received a record 791,790 cybercrime complaints in 2020, resulting in more than $4.1 billion in losses. Businesses must take steps to prevent data breaches, but determining how to do so isn’t always easy. Decision-makers will likely encounter many resources recommending encryption, but encryption comes in many forms. One of the most straightforward and seemingly secure is full disk encryption (FDE). But despite how it sounds, it’s often not as secure as people may think.
Like any type of encryption, FDE converts data into unreadable gibberish, rendering it virtually useless to hackers. FDE is a type of hard drive encryption, which applies this process to any information in a computer’s storage. If someone wants to access or read this data, they’ll need a password from whoever enacted the encryption, making it off-limits to unauthorized users.
Where FDE differs from other types of hard drive encryption is its scale. Instead of encrypting files on an individual level, it encodes the entire drive. Every file on a drive, as well as the operating system, will receive this treatment. Some forms of FDE will encrypt the master boot record, too, but most don’t.
While full disk encryption sounds reliable upfront, it can give users a false sense of security. Here are five of its most significant limitations.
The most substantial of FDE’s limits is that it only protects data at rest. In other words, it keeps users’ files on a given hard drive private, but not incoming or outgoing data. It won’t encrypt information from external drives, emails, or cloud storage.
In today’s workspaces, sensitive information rarely stays in one place. Teams communicate over email and cloud services routinely, and FDE won’t protect these data transfers that workers increasingly rely on. As such, FDE alone is insufficient to protect all data within a modern workplace.
Another shortcoming of full disk encryption is that it can hinder productivity. Any form of encryption can make it take longer to access data, as devices must decrypt a file to read it. This isn’t an issue most of the time, given the power of modern devices, but since FDE also encrypts the operating system, it can slow the system.
Slower speeds will make teams less productive, leading to frustration and, in turn, mistakes. Employees annoyed with the insufficient speed of their devices may pay less attention to any risks that emerge, making them vulnerable to other threats.
Unlike some other forms of encryption, FDE relies on user-created passwords to lock and unlock files. As such, FDE opens itself to password vulnerabilities. A weak password could let hackers unencrypt protected data with ease, rendering FDE virtually useless.
Strong password management can mitigate this issue, but most people don’t practice safe password habits. According to a 2019 Google study, 66% of American internet browsers use the same password across multiple accounts. Perhaps more troublingly, only 45% would change their password after a data breach.
Just as full disk encryption doesn’t encrypt data in transit, it doesn’t protect files currently in use, either. When an authorized user opens an FDE-encrypted file, they decrypt it, and it encrypts again once they log out. That means this data could be vulnerable while users are working with it.
Many programs and malware strains can give cybercriminals remote access to users’ devices. Remote threat actors could then wait for employees to open an encrypted file, viewing or stealing the data once it’s open and unencrypted. Similarly, if a cybercriminal stole or guessed a worker’s login credentials, they could access these files fairly easily.
FDE is vulnerable to user errors beyond poor password management, too. Businesses today rarely store data in a single location, but they may not apply the same level of encryption across all drives. If a company applies FDE to their primary storage but not their backups, it does little to protect that data.
After applying FDE to primary devices, companies may feel they’re secure, causing them to overlook backups and other security considerations. Consequently, they could be vulnerable without their knowledge, thanks to this false sense of security.
Full disk encryption is not inherently risky, but it’s not a comprehensive security measure, either. User error and failure to understand its limits can render data vulnerable despite encryption. Businesses must understand these risks to develop an appropriate data security plan.
No one solution is perfect in cybersecurity. Rather, companies must understand the strengths and weaknesses of each so they can use multiple strategies in tandem to create a secure environment. Only then can businesses feel secure about their data’s privacy.
Devin Partida is the Editor-in-Chief of ReHack.com. She covers topics related to cybersecurity, smart tech and big data.