Imagine a technology that would render your most precious information useless and incomprehensible to anyone who stole it or tried to read it without your permission.
Customer data, bank details, financial transactions, contracts, invoices and employee records – the lifeblood of your business – all scrambled into a meaningless string of numbers to anyone you don’t want to see it.
Sounds like a good idea, right?
As a business you want to protect and preserve the things that keep your company alive and kicking. The good news is that you don’t have to imagine it. This technology exists. It’s called encryption, and it’s been mainstream tech for decades – you just need to implement it.
That might sound like odd advice to be giving or repeating given how long encryption technology has been with us, but a recent study reveals almost two out of three businesses still don’t have an encryption strategy for their organisation. Given most businesses are well aware of just how important their data is to them, it’s disconcerting to hear so many businesses haven’t got to grips with encryption: the one thing that could keep their data from going down the drain.
A major security issue
It’s doubly concerning when you also consider another piece of fresh research which reveals one in three businesses have no clue about ransomware – the malware being used by hackers to lock businesses out of their own data unless they pay up.
Earlier this year, the UK National Crime Agency claimed ransomware attacks have increased in frequency and complexity, and now include public threats by the perpetrators to publish victim data online, as well as the permanent encryption of valuable data.
Numerous incidents have been cited where thousands of dollars have been paid: hospitals, charities, hairdressers have all been held to ransom. One university has suffered 21 attacks in the last year alone!
Needless to say, if a business implements the proper type of encryption, they would either prevent such types of attack or at least make it much, much harder for hackers to hold their data to ransom.
What next?
For businesses who are serious about protecting their data, and keeping their business up and running, here are the five things to ask and know:
Where is your data?
In most businesses, you’ll find data exists in a variety of formats and places. Some in the cloud, on local hard drives and even on employees’ devices. Typically, some employees will organise data into neat folder structures; many will not. Likewise, some will back up their work in progress, others won’t. In other words, there is no consistency to where and how your data is being stored: it varies depending on the person, device and the data itself.
So the first challenge is understanding what data lives where within your business – and understanding precisely where the most business critical, confidential information can be found. And don’t underestimate the scale of the issue. According to one study, 57 per cent of businesses believe that locating all their sensitive data is the biggest challenge when it comes to encryption.
Data at rest and in transit
There are two ‘attack vectors’ for hackers looking to steal business data. The first is to break-in to a business and steal stored data. This is termed ‘data at rest’. The second line of attack is to intercept data when it is on the move – an email being sent, a file or folder being uploaded to the cloud. This is known as ‘data in transit’.
You need to protect both.
Check with your cloud service providers that they encrypt data in transit and at rest.
Windows 10 and enterprise versions of Windows 7 – the world’s two most-commonly used operating systems – have a built-in encryption tool called BitLocker. You can learn how to turn-on BitLocker for your laptops and desktop devices for Windows 10 here. You’ll use an encryption key code or PIN to manage access to your data.
There are also a number of third-party tools which allow you to lock away your data much like placing a paper file in a safe. Examples of apps that do this are Vault-Hide and Vault!
Voice encryption
Make a lot of confidential business calls? Encryption apps like Cellcrypt and Guardlock will encrypt calls made from a mobile device using their software. They require the user to register, add or accept an invite from the other party. The drawback is that both users need to be using the same app for the encrypted call to work.
Mobile encryption
If your smartphone is accessed by a PIN number and you haven’t changed the default settings, then the data on your device is likely to be encrypted. Unless, of course, you leave it unlocked and open … in which case anyone can access your files and apps.
What standard of encryption is required?
When looking at encryption, you’ll encounter acronyms such as AES, which means ‘Advanced Encryption Standard’. It’s the standard used by the US government and has become the encryption model for most of the software and hardware industry.
The acronym is followed by a number, typically AES-128 or AES-256. The numbers reflect the length of the cipher key: either 128 bits or 256 bits, with the longer number reflecting the greater complexity of the cipher. Instant messaging app, WhatsApp, implemented AES-256 when it turned on its end-to-end encryption (not even the company can see the content of messages being sent).
Too easily forgotten
‘Encryption is often the security step that small businesses overlook – unless they have to demonstrate data security to comply with their industry’s legal requirements,’ says Tony Anscombe, senior security evangelist at internet security company AVG Business.
‘But this is a relatively simple step a company or individual can take to make life a lot harder for hackers – meaning that even if the data is stolen, the information is useless to the thief in its encrypted form, unless they manage to steal the encryption keys as well.
‘The encryption key becomes as valuable as the data itself – you need to protect it and ensure that only those authorised to access data have the key. Otherwise, you’re still opening the door for hackers. So keep devices locked and encryption keys safe.’
Which brings us to passwords…
Encryption isn’t just about encrypting the data itself, it’s about protecting access to the encryption tool itself. If a hacker gains access to that, there’s no telling what they may do with your data: steal it, corrupt it, copy it or hold it to ransom.
It’s the same principle as using a PIN to protect access to your mobile phone. If you don’t use a PIN and you lose your phone, anyone could access the data on it. Strong passwords are just one form of defence, but they do provide an extra layer of protection. The more hurdles you can put in front of a hacker, the harder and longer it may take them to break through.
However, not all passwords are created equal.
No doubt you’ve cringed at the league table of the world’s most common passwords: with ‘123456’ and ‘password’ in first and second place.
It’s easy to see why concerns about password security have arisen and prompted a number of major US banks to deploy different technologies to verify a customer’s identity online: from fingerprint scanning to voice, retina and facial recognition. Biometric ‘multi-factor authentication’ is a rapidly growing trend and eventually you may be kissing your passwords goodbye, if not your data.
Be the one in three – sort out your strategy
If you recognise the value of your data and understand how it flows through your business, putting an encryption strategy in place is a no-brainer. But it’s not just a question of choosing and turning on a piece of encryption software: it’s also about making sure that software can only be accessed by the right people within your business at the right time.
Related: Cyber security and data protection for SMEs – a podcast with the experts