Data Encryption: Why your business should be using encryption
Encryption may not sound like an inviting topic. Investing in an encryption framework doesn’t do anything for your bottom line, and the implementation is associated with slow, intrusive processes that make employees and managers shudder alike. But using encryption could save your business from a lot of trouble.
Encryption, who needs it?
You might imagine that only organisations working on confidential projects need to worry about encrypting their data. Yet while your employees may not be carrying around top-secret blueprints, their systems may still hold data that needs protecting.
Under GDPR, businesses are required to report any breaches of their system. If you have customer details stored on your computer, then using encryption lowers the probability that a breach will occur, and therefore means there’s less of a chance you’ll face a hefty fine.
Legal considerations aside, protecting customer data is simply good business sense. “We all have an expectation of privacy,” noted Anthony Merry, director of data protection at Sophos. “We’ve all seen the reports of high-profile data breaches in the newspapers. Customers know that if you have a data breach, they might have their identity stolen as a result. You can increase customer satisfaction by ensuring you protect their data.”
Aside from accidental loss, encryption can also be a valuable defence against hacker attacks. “We’ve noticed an increasing amount of malware that attempts to steal data,” warned Merry. “A data breach isn’t just data leaving the organisation – it’s data leaving in a form that’s usable to an attacker. If a hacker gets at your files, but only in encrypted form, they can’t do any harm.”
What needs encrypting?
Without a doubt, the most important data security measure you can take is to apply full-disk encryption on all mobile devices. “Let’s say somebody steals your encrypted laptop,” Merry explained: “If they don’t have the username and password, they simply can’t access the data on it. They can’t boot it. They can’t even access the files if they take out the disk and try to mount it from another system.”
File-level encryption has a role to play too. “We attach files to emails, copy data to USB sticks and pass them around – there are lots of ways to share data, and as end users we do it instinctively,” Merry said. “For example, let’s say I copy an Excel spreadsheet from work onto my USB stick so I can work on it at home. A USB stick is easy to lose – you pull your keys out of your pocket and the USB stick falls out. As far as the law is concerned, if someone can pick up that USB stick and potentially make use of the data contained on it, that’s a data breach. It’s the same type of situation if you’re storing potentially secret or proprietary information on Dropbox, because you don’t know who might access it.”
It’s worth thinking about tablets and smartphones too. “With company devices, you may choose to manage all aspects of security, including the apps users install,” noted Merry. “Or, you can have a BYOD scenario. In that case you can say: ‘It might be your device, but if you’re going to have company data on it then you need to protect it.’ Devices such as mobile phones have built-in encryption that you can activate.”
Desktops and servers are rather less likely to fall out of pockets, but if you’re unlucky enough to be the victim of a burglary, you could be looking at a data-loss disaster. “You do get thefts from businesses – even large companies with big data centres,” warned Sian John. “And encryption is so easy to turn on now that it’s worth doing.”
Encryption can also provide a secondary benefit when it’s time to retire old hardware. “When you go to recycle your computers at the end of their life, make sure you’ve destroyed data on them,” added John. “If you’re using encryption, it’s easy to wipe that drive so that it isn’t recoverable.”
Performace and management
Doesn’t encrypting and decrypting data tax the processor, meaning your systems will consume more power and perform more slowly? “There’s been a focus on making encryption quicker, so it doesn’t have any impact on your systems,” said John. “From the user perspective, there’s a registration process when you first unlock the system, but it’s seamless thereafter – you don’t even know it’s there.”
“Modern Intel processors have a set of instructions called AES-NI,” added Merry. “Basically, these perform hardware acceleration of the encryption inside the CPU.” Similarly, some storage devices include their own encryption processor, which takes care of encryption and decryption at the controller level. As a result, the operating system doesn’t have to do the work itself, or even know that your data is encrypted.
“Businesses that want to roll out encryption shouldn’t need to buy new servers or hardware,” concluded Merry. “Encryption shouldn’t have a perceptible impact on productivity or system performance. It means we can keep our users productive while keeping data secure.”
Avoiding the pitfalls
Encryption isn’t a technology you can simply release into your organisation: you need to apply it in a systematic way to make sure data doesn’t slip through the gaps. “Businesses should have a data-protection strategy in place,” advised Merry. “Look at what employees do, how they use data and how data flows naturally inside and outside of an organisation. Then come up with a plan, and communicate it: individual employees should be aware of the business’ data-protection strategy and what it means to them.”
And it’s important to plan ahead. As Sian John warned: “If you’re rolling out encryption in a corporate environment, think about additional decryption keys. A lot of effort has been put into making it easy to recover if a user forgets their password, or leaves the organisation. You can have a master key to decrypt their PC once they’ve left. You don’t want to set up a system where employees are encrypting stuff that you’re not able to get back again.”
Keeping your company safe should be the first port of call, thankfully Davey Winder gives you a handy rundown of how to stop your business from being hacked.