What's the big deal about Encryption?
I was recently asked the question, ‘How important is encryption…on a scale of 1-10?’
I gave the stock, corny answer, of ‘11’. Because that’s how important I believe it is.
But this needs a bit of caveating.
It’s 11 if you’re using your company data outside of the office (on mobiles/laptops/ tablets etc.), or if you ever take a USB stick off the premises. If you keep all your data in the office and it’s never connected to the internet, you’ve got a 24 hour security guard with full alarm systems on all of your kit, then I’d downgrade that 11 to a 3 or 4.
(There’s no such thing as ‘0’ when it comes to IT Security because if someone wants your data that badly, they’ll find a way).
The thing is, that scenario isn’t very realistic these days. The vast majority of us are reading emails on mobile devices, taking our laptops home, and carting USB sticks about. The way we work has changed.
The EU Data Protection Regulation about to come into force this year is a sign that the EU is getting tougher on data protection, as the legislation will mean that certain companies who suffer a breach will get a fine, which could be as big as 5% of your annual turnover.
Many businesses will be affected by this new regulation who may not have been previously. To check if you are, it’s certainly worth taking a look at Sophos’ 60 second survey, which asks you questions about whether you encrypt email and the information you store in the Cloud.
Here’s a video of a friend of TSG James Lyne, Sophos’ cybersecurity specialist, tapping into a company’s confidential data in 20 seconds flat – and he gives you a lot of great advice on how to protect yourself too.
When it comes to encrypting your data, there are really 5 main areas that you need to look at:
So this is your physical stuff like your laptops and your mobiles. If any of these get lost or stolen, it’s not just about having a password to protect them (which can be hacked)
2. Memory sticks
We all do it. We put a file on a memory stick, chuck it into a bag, forget about it, and suddenly it’s an uncontrolled piece of data floating around. It just needs to fall out of your bag (or stolen) and that’s a data breach. If you’re putting information on memory sticks which you can’t afford to lose or it would be damaging if it fell into someone else’s hands, always encrypt it
If it’s sensitive, then encrypt it on the fly, or use boundary encryption if the recipient always needs to have secure transmission.
4. Cloud services
A lot of companies use online services like Dropbox to store large files or transfer and share data. But there is a way of encrypting this data, and we’ve got controls and mechanisms to be able to do that.
5. The data itself
This is about identifying where your data sits within your network. If you’re in the finance department for example and what you’re working on contains extremely sensitive customer information, then there must be a set rule that wherever those files go (inside or outside of the business), then those files must remain encrypted.
On the flip side, you also need to answer the question, ‘How important is data privacy to you?’ If you lose a memory stick, upload something to Dropbox insecurely, or lose a device with some data on it, how much would it bother you if someone else got access to that data? Or how much would it cost?
If the answer is ‘not at all’ then there’s not much sense in encrypting it. If the answer is it would have a negative impact on your business, then it’s definitely time to do something about it.
Figures have recently been revealed about the number of data breaches in the UK in the last year – the financial services sector is up by 183%. Now, before that alarms you, some of the large banks who have reported themselves for losing their customers’ data make up a good chunk of that percentage (actually that is pretty alarming, depending on who you bank with).
The reasons for these data breaches were more often than not just the basic stuff (human error) – leaving a laptop on a train, people taking copies of things they shouldn’t be, insecure memory sticks. So many breaches could be avoided if people followed some basic security principles.
The important thing to remember, is that there’s lots to remember when it comes to IT Security. And that’s because it affects your entire infrastructure. Security isn’t just one thing – having a firewall and putting endpoint protection into your business is just two of at least ten things you should be doing.
However, a good starting place is your people, and your data - work out what needs to be encrypted, and how, and then go from there.
For more on how you can put together effective IT Security methods for your business, please get in touch with us.
Check out our article on how to build an effective IT Security policy for your business here.
I'm also hosting a webinar on the 25th June called 'Opportunities and Threats in the Modern IT Environment' - join us for free by signing up here.