Data encryption is one of those cybersecurity buzzwords talked about constantly in business, especially in heavily regulated industries. It’s another layer of protection you can wrap your company’s sensitive data in – but it doesn’t come cheap. Is data encryption worth the business expense?
Data encryption is absolutely worth the expense. According to the Ponemon Institute, encrypting one computer costs $235 on average. IBM Security reports that a typical data breach costs roughly $4.24 million. If you have 1000 company devices, it’ll cost $235,000 to help prevent a loss of $4.24 million.
Now you know the cost of encrypting your data and what your business stands to lose if you don’t. However, you still don’t know WHY encryption is so important to information security, HOW data encryption works, the different methods of encryption, or data encryption best practices.
It’s our goal to give you all the tools you need to make an informed decision about data encryption for your business.
A Small Business Owner’s Guide to Data Encryption
What exactly is data encryption?
Think of data encryption as digital cryptography. Cryptography is defined by TechTarget as the art of protecting information or messages with codes. This practice has been in place for physical data and secure communications for decades.
More specifically, data encryption is when your files are converted into scrambled text known as cipher text. This cipher text is completely unreadable to unauthorized users who don’t have the decryption key to unscramble the text.
Even if a cyber criminal gains access to your data, without the encryption key it’s useless to them. Encryption can be implemented at any level from single files to entire hard drives to all your cloud storage.
Why should I encrypt my business’ data?
Your customers’ and employees’ sensitive data is incredibly valuable in the wrong hands. Access to identifying and financial information can enable cyber criminals to steal or sell people’s identities. If a computer is lost or stolen and its data isn’t encrypted, it’s easy for cybercriminals to gain access. Even if the computer is password protected.
Depending on your industry, you may be legally obligated to meet various data security regulations. In the healthcare industry, HIPAA/HITECH laws regulate storage of personal health information (PHI). If you accept card payments you’re likely required to meet the Payment Card Industry Data Security Standard (PCI DSS). The Sarbanes-Oxley Act of 2002 (SOX) regulates backups and information security of publicly held companies.
The most widely known data security legislation is the General Data Protection Regulation (GDPR). It applies to all organizations that conduct business in the E.U. or European Economic Area. It has inspired a number of similar legislative acts in various locations. It’s better to check all areas your business is located in or does business with for local privacy laws. Here’s a fairly comprehensive list to get you started.
IBM Security reports that the average data breach costs the average business $4.24 million. That’s per incident. Does your business have $4.24 million lying around to pay fines and settlements resulting from a data breach?
We urge you to find money in your budget for data encryption, if you haven’t already. Honestly, it’s a simple way to step up your cybersecurity game and protect your customers and staff.
How does data encryption work?
Most types of encryption hinge on programmed algorithms to come up with complex ciphertext to scramble your data. There are two common methods of encryption which all other forms of encryption stem from: symmetric encryption and asymmetric encryption. They’re also known as private and public encryption keys, respectively.
Symmetric Encryption (Private Encryption Key)
Symmetric encryption algorithms rely on a single private key for encryption and decryption of your data. You have to share the key if anyone but you needs to access the encrypted file(s). It can be a password or string of numbers from a RNG (random number generator).
The best use case for symmetric encryption is by a single user or within a closed computer system. It’s an incredibly fast method of encryption, but is only as secure as you and your employee’s practices around it.
Cybercriminals who sneak into your network can use that key if you aren’t careful about how you share it. The more times you share your private key, even within your company, the more you expose your business to the risk of data theft.
P.S. We believe that this article should cover encryption algorithms, but we don’t want to dive too deep into their mechanics. If you’d like more information, follow the corresponding links below, or reach out for personalized assistance.
Types of Symmetric Encryption Algorithms
- Advanced Encryption Standard (AES) explained by RSI Security
- Triple DES according to Simplilearn
- Blowfish defined by Simplilearn
- Twofish described by Simplilearn
- Format Preserving Encryption (FPE) outlined by Cloudian
Asymmetric Encryption (Public Encryption Key)
Asymmetric encryption algorithms are a little more complex. They rely on paired public and private keys which are linked and used in tandem. Either key can encrypt data, but both are required in order to decrypt and open it.
The ideal use case for asymmetric encryption is by multiple users across open or closed networks. The public key to create and encrypt data can be shared openly without any risk of data theft.
This method isn’t as fast as symmetric encryption, but it makes up for that time by being much more secure. Cybercriminals who sneak into your network may be able to find your public key. Without the private key they will struggle to get into your data. The complexity of this style of encryption does mean it can slow down network traffic at times.
Types of Asymmetric Encryption Algorithms
- Rivest-Shamir-Adleman (RSA) explained by RSI Security
- Elliptic Curve Cryptography (ECC) described by Cloudian
- Digital Signature Algorithm (DSA) outlined by Trenton Systems
- TLS/SSL Protocol defined by Trenton Systems
How do I implement data encryption across my business?
There are a number of ways that businesses can manage their data encryption and roll it out company wide. It depends upon your organization’s structure, how your data is stored, and what your IT team’s strengths are.
If you store your data on-premises, there may be a baked-in data encryption service offered by your operating system. Data encryption software is a common offering for security software companies. You can check with your service provider for your antivirus, firewall, or VPN to see if it’s available. Additionally, there are vendors who sell standalone encryption software.
Alternatively, if you store your data on the cloud, data encryption may be offered by your cloud services provider. If it’s not, you can integrate a standalone encryption software into your existing system pretty easily.
If you choose to implement software for encryption, here is a list of options for you to begin exploring:
- Microsoft Bitlocker (for PC)
- Apple FileVault (for Mac)
- VeraCrypt (third party software)
- AxCrypt (third party software)
- Gpg4win (third party software)
- Symantec (part of full suite)
- Kaspersky (part of full suite)
- Sophos (part of full suite)
- ESET (part of full suite)
Is encrypted data hackable?
Unfortunately there is no such thing as data that is 100% secure. There are always new and evolving threats to cybersecurity that challenge security professionals all over the world. The same is true for encrypted data.
Encrypted data can be compromised in these ways:
- Malware – viruses designed for ill intent
- Brute force attacks – attackers write a program to try random keys until they get in
- Cryptanalysis – attackers find a weakness in the cipher and crack it
- Side-channel attacks – attackers look for errors or weaknesses to exploit without having to break the cipher
- Social engineering attacks/insider threats – either bad actors in your company, or negligent ones
It’s important to remember that your data encryption program should not be a “set it and forget it” tool. There are plenty of historical encryption algorithms that were once considered the gold standard. Many have fallen by the wayside due to weaknesses that were found and exploited over the years.
When you implement data encryption within your company, it’s important to train your staff on best practices for secure encryption. We’ve listed our recommendations for best practices below.
Best Practices for Data Encryption
- Encrypt all sensitive data. Yes, all of it, regardless of file type or how useful you think it might be to cyber criminals. Attackers will come up with creative ways to exploit data you never imagined could be useful to them. You want to make it as difficult as possible for anyone who breaches your system to find anything at all.
- Protect your encryption keys with everything you have. Don’t store them written down on an unsecured sticky note or an unencrypted file in your computer’s notepad. If you’re using the flashiest encryption software but all your employees leave their keys out in the open, you’re screwed. It doesn’t matter how difficult the lock is to pick if you leave the key laying under the doormat.
- Analyze your encryption system’s performance. Review what data is secure and how many resources the encryption process takes up frequently. Continue to revise and optimize your process. If it’s too difficult/time consuming, employees may not take the time necessary to encrypt data properly, leaving you vulnerable.
Start Encrypting Your Data Today
The bottom line is that data encryption is more affordable than the settlements and fines that a data breach costs. We highly encourage you to save yourself time and money and incorporate data encryption into your business’ cybersecurity strategy today.
If you’re sold on the concept of data encryption but are still fuzzy on the details, let us know. Cloud Nexus are experts in cybersecurity and have insight we’d love to lend you in a complementary discovery call.