If you're worried about company data falling into the wrong hands, then it's time for you to consider encryption. You've probably heard the term bandied about but you weren't really sure what it meant or how you could use it to benefit your organization. In literal terms, encryption is the transformation of data from plain text to ciphertext. Think of it this way: Your company's data is an easy-to-read rhyming poem written in the English language. Anyone who can read in English will be able to quickly decipher the text of the poem as well as the pattern of the poem's rhyme. When encrypted, the poem is transformed into a series of letters, numbers, and symbols with no obvious sequence or implication. However, when a key is applied to that jumbled mess of text, it immediately transforms back into the original rhyming poem.
Continue Reading Below
Encryption doesn't automatically guarantee that your company will remain safe from intruders. You'll still need to employ endpoint protection software to ensure you aren't hit by ransomware, which can be used to blackmail you into giving up your encryption key. However, if hackers attempt to access your data and they realize that you've employed encryption throughout your business, then they're much less likely to continue the attack. After all, which house would a burglar more likely choose to burgle: the one with machine gun turrets on the front lawn or the one with the front door wide open?
"The best reason to encrypt your data is that it lowers your value," said Mike McCamon, President and CMO at SpiderOak. "Even if [attackers] got in, all the data stored is encrypted. They'd have no way to do anything if they downloaded it."
To help you determine how best to protect your business from data theft, I've compiled the following six ways to deploy encryption across your organization.
1. Password Encryption It stands to reason that if you're using passwords across your business, then you should be safe from an attack. However, if hackers gain access to your network, then they can easily make their way to the endpoint where all of your passwords and usernames are stored. Think of it like this: The code to unlock your smartphone is only a safeguard to entering your smartphone if someone isn't standing over your shoulder reading your button presses. Well, hackers can infiltrate your network, find the point where your passwords are stored, and use them to enter additional access points.
With password encryption, your passwords are encrypted before they ever leave your computer. The second you press the Enter button, the password gets scrambled and saved on your company's endpoint in no decipherable pattern. The only way for anyone, including IT administrators, to access the unencrypted version of your password is to employ the encryption key.
2. Database and Server Encryption The treasure trove for any hacker is the location where the majority of your data is at rest. If this data is stored in plain text, then anyone who is able to infiltrate your security settings can easily read and apply that data to additional attacks or theft. However, by encrypting your servers and databases, you guarantee that information is protected.
Keep in mind: Your data can still be accessed at any of its many transfer points, including information sent from the browser to the server, information sent via email, and information stored on devices. I'll get into specifics about how to encrypt that data later on in this piece.
3. SSL Encryption If you need to protect the data your employees and clients send from their browsers to your company website, then you'll want to employ Secure Sockets Layer (SSL) encryption across all of your company's web properties. You've probably seen SSL encryption employed on other company websites; for example, when you connect to a website and a lock appears to the left-hand side of the URL, this means your session has entered an encrypted state.
Those companies that are hyper-paranoid about data theft should understand that SSL encryption only protects the transfer of data from the browser to the website. It safeguards against attackers who are able to intercept information as it's being transferred from the browser to the endpoint. However, once the data enters your servers, it's stored as plain text (unless other encryption methods are employed).
4. Email Identity Encryption Hackers have devised a nifty way to trick people into voluntarily giving up personal information. They create fake corporate email addresses, pose as company executives, and send official-sounding emails to employees asking for passwords, financial data, or anything that can be used to hurt a business. With email identity encryption, your employees receive a complex key [otherwise known as a Pretty Good Privacy (PGP) key] that they give to all of their email recipients. If the recipient gets an email that claims to be from your company's CEO but the email doesn't contain the decryption prompt, then it should be ignored.
5. Device Encryption We all know about device encryption from Apple's recent battle with the FBI. Basically, you decrypt your device and the data stored on it—every time you enter the passcode required to open the unit. This applies to all devices, from laptops and desktops to tablets and smartphones. However, it's really easy for someone to go into their phone's settings and disable the passcode requirement. This is a super convenient way to get into and out of your phone but it also makes the device vulnerable to anyone who (literally) gets their hands on it.
To protect your company from hands-on attacks, you should make device encryption a requirement for all of your employees as well as any company partners who store sensitive data on their devices. Your IT department can set this up by using mobile device management (MDM) software.
6. End-to-End and Zero-Knowledge Encryption Perhaps the most comprehensive and most secure version of encryption, end-to-end encryption scrambles all of your organization's data before it reaches its endpoint. This includes everything from log-in passwords and device access passwords to the information contained in applications and files. With end-to-end encryption, the only ones with access to the key to unscramble your data is your IT team and the software company with which you work to encrypt the data in the first place.
If you need an even more extreme safeguard against intrusion, zero-knowledge encryption keeps your encryption key a secret, even from your software partner. SpiderOak, for example, will help you encrypt your data but it won't store the encryption key required to unscramble the information.
"If someone loses their password with us, we can't help them," said McCamon, in reference to SpiderOak's zero-knowledge encryption clients. "We want to make sure customers know we can't read their data either."
McCamon said it's important to specify with your software partner whether they are end-to-end or zero-knowledge, especially if zero-knowledge is what's required. "The only thing we know about our [zero-knowledge] customers is their name, email address, billing information, and how much data they store with us."