With organisations under more pressure than ever to protect their customers’ data, and more and more information being stored digitally, Grant McGregor takes a look at encryption and the possibilities
With organisations under more pressure than ever to protect their customers’ data, and more and more information being stored digitally, Grant McGregor takes a look at encryption and the possibilities it offers to help small businesses protect their data.
Encryption sounds like one of those scary IT topics that will drive most small business owners running screaming from the room – but it needn’t be scary. With good advice and clear planning, encryption delivers essential business advantages – not least in the protection of your data and defence against hackers and ransomware attacks.
Encryption is the process of scrambling your data so that it is effectively unreadable to anyone who does not have the key to unscramble it.
Small businesses need to protect their data, just as any other individual or organisation does. Encryption offers another way to protect your data. While most of your IT security infrastructure protects your physical assets – your computers, devices and servers – encryption protects the data itself by making it unreadable to unauthorised people.
Wherever there is a mention of data security, a reference to GDPR isn’t too far away – and this is true when it comes to encryption too. GDPR expects organisations to protect the data they hold and encryption is an important part of this.
Encrypting your data will serve as a deterrent to hackers; making your data less appealing to be stolen. But it will also help to protect you against legal action from consumers and regulatory authorities, since through encryption you can demonstrate a fair attempt to protect the data you hold.
You should encrypt all your sensitive and personal data. Of course, GDPR has expanded the definition of what is personal, so you may find that much of your data is ripe for encryption.
Data needs to be protected at rest (when it resides in your databases and hard drives) and in transit (between browsers, in email or to the cloud). This way, if your network is hacked or your communication is intercepted, encryption keeps it safe.
Many standard business applications include options for data encryption. For example, Microsoft offers straightforward functionalities for encrypting individual documents in Word, Excel and Powerpoint and for full disk encryption (Bitlocker) on individual workstations and laptops.
Full disk encryption is a sensible precaution for any mobile devices that are used away from the office, such as laptops, and that contain sensitive data.
For most small businesses, the standard email encryption offered in Outlook will suffice. However, for businesses not using Microsoft products or for highly sensitive communications, you may need to consider using a browser-based encryption application that will enable you to encrypt messages manually.
Remember to always use a different channel to send your intended recipient the key or password they need to decrypt your message.
As well as encrypting data in transit via email, you need to consider encrypting outgoing and incoming Internet traffic. This is particularly important if you are capturing data, allowing signups or running e-commerce on your website, as well as for staff who use unsecured Wi-Fi networks (for example, at hotels or airports).
To secure incoming Internet traffic, you’ll need to use https. To secure data being passed over connections via public or unsecured Wi-Fi networks, you will need to set up access to a business VPN for your users.
No encryption is entirely failsafe; although some methods are more secure than others. Computers are capable of breaking into encrypted files or computers by guessing the encryption key, but this will require concerted effort and, for very secure encryption algorithms, it will take a long time.
The real danger with encryption is forgetting or losing the key to unencrypt encrypted data. This means that small businesses that do institute encryption policies will need to also develop a detailed register of encryption keys that staff are using – and religiously keep the information up to date (in a secure place!).
Encryption is no good without effective password management, so good password management and access management is an essential partner to encryption. As with any technology security issue, staff training is another vital component.
A good starting point is the government’s new Cyber Essentials certification. For this, or more specific advice about encryption, enlist help of Grant McGregor consultants.
Call us on 0808 164 4142.