Long before Darwin’s theories and his book Origin of the Species was released, humans realized that the key to survival was an adaptation. When the environment changed, those who were able to change along with it survived, those who did not perish. In today’s age of electronic communication, virtual meetings, cyber wallets, and cyberterrorism, the validity of the statement are acknowledged, and the realization that companies need to be more vigilant protecting their electronic environments. Those companies in high-profile industries such as finance, aerospace, military, and others–including housing and mortgage servicing—need to be more aggressive as the risks are generally higher when handling and storing confidential data.
Cryptography Has a Limited Lifecycle
Given the massive data breach, Equifax experienced recently, implementing encryption algorithms—or the process of transforming plain text into encrypted text for the purpose of securing electronic data when it is transported over networks—based on the lowest strength encryption that has not yet been exploited may not be the wisest course of action. It does not make sense to base security protocols on the lowest level of Federal Information Processing Standards (FIPS). If companies are adopting new controls based on today’s industry encryption standards, they should have a valid reason for doing so, and understand the implications of that decision. After all, the time involved in the decision-making process can be quite extensive. There is research that takes place to evaluate the issue, requirements and design, RFPs, testing, implementation, and more. This can be a costly process and companies should not exhaust all the time and resources necessary only to adapt algorithms that are here for a short period. They should be implementing protocols that will not be deprecated for at least the next eight to 10 years. This is one of the reasons why certifying authorities such as Verisign, Thawte, and others limit the number of years users may purchase a website certificate. Major institutions may only implement certificates whose expiration date is two years or less.