There has perhaps never been a more important time to look at encryption strategies. Government research from last year revealed that 43% of businesses have identified security breaches in their systems in the last 12 months. Some of the most common attacks included staff receiving fraudulent emails (75% of those breached), individuals impersonating the organisation online (28%) and viruses and malware (24%). What's more, security breaches on average cost organisations £894 per incident over the past year.
Desktop PCs and servers generally use high levels of encryption. However, mobile digital devices often use reduced levels of encrypted security, if indeed they use any encryption at all. According to Sophos, only a third of businesses encrypt the smartphones and tablets that employees use.
Research shows that the majority of businesses do not employ effective encryption policies for mobile devices
Then there's the cloud to consider, which because of its increase in popularity has a bigger target for cyber crime. Businesses have slowly over time have handed over the responsibility for encrypting data to service providers that are themselves becoming a favoured target for cyber criminals.
Businesses understand that their customer data, in particular, must be encrypted. Highly regulated industries, such as financial services, have long used strong encryption to meet their compliance responsibilities, with other sectors reacting to high-profile security breaches by enhancing their use of encryption tools and protocols.
For example, the payment card Industry's Data Security Standard (PCI DSS) has strict requirements on how merchants need to employ encryption to protect stored cardholder data. The Data Protection Act 2018 and GDPR, both make it mandatory that businesses take practical steps to protect customer data. This also applies to destroying data.
However, companies are seeing that work is changing and that modern workplace practices, such as remote working, are creating new challenges when it comes to protecting data. Many businesses have many employees who work from remote locations and out in the field, that still require secure lines of communication to the office.
Some technologies have now become more commonplace such as virtual private networks (VPNs) that use built-in encryption protocols, particularly across the small business community because of their relatively low cost and efficient deployment.
But with employees working in several locations at the same time it is often a "barrier to a successful encryption strategy", according to findings from the Ponemon Institute's 2019 Global Encryption Trends report, with many businesses being unable to source where their sensitive data resides.
Some 69% of those surveyed said that data discovery was their biggest weakness when it came to encrypting data, 42% found difficulties when first deploying new technologies, and 32% said they find it hard to identify what the most important data needed to be encrypted.
Many businesses already use SSL to encrypt data as it is transmitted
Even those businesses who do have encryption policies in place, these often fail to fully protect data once it has been transmitted to remote workers outside of the organisation's firewall.
Despite there being an abundance of security tools available for businesses of all sizes, many of these are "off-putting to small businesses" as they are not easy to integrate with existing applications and require extra time and resources which hits small businesses the hardest.
Understanding the basics
Despite the challenge facing small businesses, it's possible to simplify the process of encryption, provided you have a well-defined and communicated policy across your business. Data is now your business's most precious commodity that must be protected.
The Ponemon Institute research found that 44% of businesses performed encryption on-premise before sending data to the cloud using keys their organisation generates and manage. However, 35% of respondents perform this encryption in the cloud, with cloud providers generating and managing those keys. Some 21% of respondents are using some form of Bring Your Own Key (BYOK) approach.
The quality of any encryption policy is dependent on how keys are handled
Regardless of the favoured approach to encryption, there are basic steps that all businesses should be taking. Encryption is no longer an additional expense, it's something you can enable on most new devices these days.
A password on a laptop doesn't make the data secure, it helps but is by no means a robust solution. BitLocker is a secure option on Windows 10 laptops, or FileVault for Mac's. Neither OS enable these encryption methods by default; so there is a good place to start.
Encryption can be turned into a fairly straight forward exercise for small businesses, but you should be aware of the added restrictions it could place on day-to-day operations.
Most commercial encryption software is suitable (or has a product) suitable for small business use.
For email encryption, both sender and receiver must operate the same encryption standard, which can lead to complications when dealing with other organisations who operate different systems.
How to use encryption
Having a full understanding of the data landscape across your enterprise will help you figure out what types of encryption you need. When data is at rest stored on hard drives, servers or mobile devices, for instance, file or full drive encryption should be considered.
It's when data is in motion that encryption becomes even more vital. When data moves over your business's network or out onto the wider internet, it must have some form of encryption. It's likely your business has continued to expand its use of the cloud in some capacity and is probably developing hybrid cloud deployments. If that's the case, data must be encrypted at rest as well as when it's being transmitted.
Encryption should be is considered an essential element and provides a first technical step in compliance programs. Encrypted communications, such as TLS (Transport Layer Security), provide a strong control.
Data-at-rest encryption is more challenging, because the layer at which it is deployed determines how much protection it provides - it's but a small part of a larger control set that includes monitoring and access control. Also, encryption key management for data-at-rest encryption is a critical element, because losing the keys means losing the data.
Employees are often the weakest link in data handling
Of course, the quality of any encryption policy comes down to how keys are generated, applied and managed. For larger businesses, this is somewhat of an easier task despite the quantity of data that needs to be encrypted. Cryptography is often managed by in-house experts equipped with right equipment.
But, these resources are not something that's typically available to small businesses, and investing in in-house expertise isn't usually a priority when it comes to spending. As a small business, you'll likely find yourself working more closely with service providers. However, if you don't like that option, you can call upon key management products that are provided as a service. These tend to give you more control over encryption keys, but still need to time and effort to maintain full control unless you have the resources to do so.
What has become clear for all business owners is encryption must form a fundamental component of their data security policies. Where data is stored, who has access and, importantly, how data is protected when in transit and at rest, all require strong encryption protocols.
The use of mobile devices has also moved the perimeter of the security environment businesses have to manage outside of the control of their premises. Ensuring all data communications use strong encryption is now critical to meet data protection, remember that the legally binding GDPR requirements are always in play now.
All to often data is lost and security is compromised by employees, so it's always best to ensure your business has detailed and on-going education and training to encompass the encryption tools to keep your business data secure.