The cloud is here to stay. It has become the most common solution for a wide range of business needs, from data backups to cross-organization communication to document and file storage, and a great deal more. It’s convenient. It’s affordable. It’s scalable. It’s also a serious risk to your information security, particularly if you don’t know much about data encryption and aren’t following industry best practices. What should small business owners know about data encryption?
What’s It All About?
Let’s start with the basics – what is data encryption and why does it matter to your business? Really, it’s nothing more than transforming valuable data into so much gibberish. It requires an encryption key to translate that gibberish back into its original form. Anyone without the key will not be able to access the information, at least not without a lot of time spent trying to decrypt it. Of course, there are different levels of encryption. Currently, 256-bit is the highest level commercially available. Note that while 128-bit encryption is available, it’s not the best option and is much more easily cracked than 256-bit encryption.
So, why does it matter if your business information is encrypted? Simply put, if you don’t encrypt it, anyone who stumbles over the information can use it immediately. That applies to hackers, as well. They might spend a little time getting through your system’s defenses, but once they’re in and have stolen the information, they can put it to use or sell it right away.
By encrypting your data, you ensure that hackers have a much harder time of it. In fact, some hackers may actually stop their attack completely when they realize that your information is encrypted. There are easier targets that offer the same profitability without the serious investment of time and resources necessary to decrypting your company’s data.
What Data Should Be Encrypted?
This is a big question with a couple of different answers. The simplest answer is “all of it”. However, that’s not feasible for many businesses. So, another answer is “the data that matters most”. This will depend on your business and the type of data in question. If you deal with consumer health information, you’re bound by HIPAA to encrypt that information. However, you’re not required to encrypt consumer personal information, such as Social Security numbers, names, email addresses and the like.
It’s tempting to only encrypt what you’re required to and leave the rest, but that’s not only a shortcut, but a lax attitude toward what more and more consumers are considering your ultimate responsibility. If they’ve entrusted your business with their name, their Social Security number and their address, they did so under the impression that your business is going to safeguard that information, whether you’re required to under the letter of the law or not. Many businesses experiencing breaches in which unencrypted consumer information is stolen are finding that their customers are not particularly understanding and will go in search of a partner who will hold up their end of the bargain.
When Should Data Be Encrypted?
Data should be encrypted at multiple points. First, it should be encrypted if stored on your company’s hardware. Second, it should be encrypted when being transmitted, whether to another business location or to a cloud storage system. Finally, it should be encrypted during cloud storage (called “at rest” in the industry). In short, you really need to ensure that this data is encrypted at all times to protect it against the growing number of threats out there.