Andrea Pfundmeier, CEO of Boxcryptor: file encryption can save companies money and reputation
Encryption has not yet become a routine practice for businesses worldwide, with many failing to recognize how crucial it is for data protection. With ransomware on the rise, it’s as important as ever to understand what encryption is and why companies should opt for it. We reached out to Andrea Pfundmeier, CEO and Founder of Boxcryptor, to discuss how encryption can save organizations both money and reputation.
According to HayesConnor’s Data Breach Statistics, in 2020, two in three UK companies failed to employ both password protection and encryption security policies. A different report by PurpleSec suggests a similar trend in the US, where only 22% of small businesses encrypted their databases while bigger organizations, like healthcare providers, relied on the public cloud to store patient data in a non-encrypted way. All of this becomes a major point of concern, as ransomware surged 93% over the last half a year.
Boxcryptor provides a solution: it offers end-to-end encryption for your cloud data, suitable for businesses, freelancers, and those who prefer to store personal information in the cloud. Its CEO, Andrea Pfundmeier, shared with CyberNews why file encryption is essential, what consequences companies can face for failing to encrypt their data, and what position Boxcryptor has taken in providing customers with secure encryption software.
Boxcryptor has successfully been in business for about ten years now. Could you tell us a little more about how this idea of encryption software for cloud services came to life?
Robert Freudenreich, who founded Secomba GmbH with me, and I initially had a totally different idea and were just sitting down to work out the business model. That’s when a major challenge occurred: We wanted to keep data stored in a cloud to work together on files without anyone unauthorized being able to access them. That's how the idea for Boxcryptor came up. Robert then developed software that encrypts data before you upload it to cloud storage.
We made the software available online for free and received a lot of positive feedback right from the start. So, we recognized the need for data encryption in clouds and started to develop Boxcryptor further. By now, the encryption software is compatible with over 30 cloud providers, as well as Microsoft Teams. Furthermore, individuals and organizations use Boxcryptor to encrypt their files stored on NAS, file servers, or external devices.
You mention the zero-knowledge principle quite a lot. Can you tell us more about this approach?
Zero-knowledge means that even the company providing you with this zero-knowledge cloud storage or encryption solution is not able to access your data. With Boxcryptor, for example, your password is hashed before it is sent. This means we have no information that would allow us to find out your password. With the zero-knowledge standard, we identify you and verify your credentials when you log in without ever knowing your password. This is the safest method of authentication and subsequent key transfer.
Private and sensitive information will always be encrypted, protected by the user’s password – which we do not know. Passwords and private keys never leave the users’ devices and are never transferred anywhere or to anyone. User keys, group keys, and company keys are stored on the Boxcryptor server, but always only in the encrypted form.
What are the risks one can encounter when sharing data that hasn’t been encrypted?
Hackers who successfully attack your cloud storage are able to see your data in plain text if you or the cloud provider failed to encrypt it. In the worst case, they use this data against you. Especially for large companies, this can lead to serious problems. In 2019, according to EY Global Information Security Survey, 2020 U.S. firms lost 654 Billion US-Dollars through cyberattacks. 60% of global companies state that they were affected by a significant cyberattack. The number of cyberattacks has even increased since the beginning of the COVID-19 pandemic. That makes it even more important to encrypt your data. So, even if it gets stolen, nobody is able to access your information.
Moreover, cloud providers who do not follow the zero-knowledge policy can see your documents and photos if your data is not encrypted. In some countries, the government or intelligence agencies might force the cloud storage provider to share data of their customer.
With more enterprises moving their workload to the cloud, why do you think people are still hesitant when it comes to file encryption?
I am afraid that many people don't know what encryption means or think it is quite difficult to implement. You don't necessarily come across the term and the process in normal everyday life. That means you first have to find out how file encryption works and how you can incorporate it into company processes.
Many people don't know how easy it is and that – if you choose a suitable solution – encryption runs completely in the background, and users don't have to change their workflow. That makes it even more important to educate people about it because it can help them deal with their confidential data more securely and consciously.
What other security solutions besides file encryption became necessary because of the pandemic?
Security was an important issue even before the pandemic. However, while communication before the pandemic primarily took place in the corporate offices of some companies, employees now often work together from a wide variety of locations. This makes security tools that ensure that communication and collaboration are secure regardless of the location critical. Numerous companies have had to - and still have to – make improvements in this area.
One example is VPNs. VPNs have become very important for network traffic not to be observable. It allows users to create a secure connection to another network over the open Internet, reducing the risk of security breaches and cyberattacks.
Boxcryptor uses private, public, and master keys to encrypt data. Could you explain the main differences between them?
Every user has his own pair of RSA keys – a private and a public key – to encrypt files.
The difference between private and public keys is that the public key doesn’t contain any sensitive information and, as these are public, does not need to be kept confidential. That’s why we store them in plaintext on the Boxcryptor server. Private keys, on the contrary, are generated locally on the user's site and are never transmitted to us. In order to make the encryption possible, private keys are encrypted with the users` passwords. Private and public keys are important if you want to share encrypted files with others: you encrypt the files with the public key, and only the owner of the matching private key can decrypt the files.
Due to Boxcryptor’s zero-knowledge nature, you lose access to your files if you forget or lose your password. Therefore, our users should always remember their passwords. Without the password, it is not possible to decrypt a user’s private key, and thus it is not possible to decrypt any files.
That’s when the master key is needed: If a company has enabled the Master Key feature, it can make use of the password reset feature. The Master Key feature gives a company administrator the power to decrypt the private keys of all users who belong to the specific company. This also allows the company to set a new user password by simply re-encrypting the user’s private key with a new password.
What are the advantages and disadvantages of encrypting folder names and filenames?
File and folder name encryption effectively prevents outsiders from analyzing your data and folder structures. Imagine a file named “M&A_contract_CompanyAandCompanyB”. Nobody would actually need to access the file to know what it is about. When the filenames are encrypted, only metadata such as the modification date and file size remain unencrypted.
However, this has a certain impact on the speed of the application and leads to an increased effort for the correct configuration. So, our users can choose for every file or folder if they need the additional security of filename encryption.
Is data encryption more relevant for individual users or enterprises? Which customer category is more common?
I would say it's hugely relevant for both private users and enterprises. Individual users usually share very private data in the cloud, like family photos with different people in them, including children. You wouldn't want pictures like that to get into the hands of strangers. Appointments or sensitive documents related to health or your personal ID documents are also readily shared in the cloud.
On the other hand, companies usually share data in the cloud that is important to the company process. In the case of data theft, a company can suffer enormous financial losses. Companies and organizations that process the personal data of EU citizens must also comply with the strict provisions of the GDPR. Encryption is a technical measure to protect data, according to the GDPR. If a data protection incident occurs and data is stolen, companies that have protected the affected data with encryption will face significantly lower or no consequences at all. If the data has not been encrypted, companies have to pay high fees and suffer from reputation damage. That's why companies also have a vested interest in keeping their data safe.
And finally, what’s next for Boxcryptor?
As in the last ten years, we would like to continue enabling people to benefit from new technology while keeping control of their personal data. Also, within the next five years, we want to add security to cloud products and fulfill the expectations of our users all over the world. At the moment, we are continuing to develop our new Boxcryptor app for Microsoft Teams. Already today, companies can protect files in Microsoft Teams with end-to-end encryption from Boxcryptor. We want to make this even more straightforward for users.