How can you protect your data as it moves from one location to the next?
You’ve probably heard a lot about data encryption. It forms one of the pillars of IT security: without encryption, sensitive business information would be vulnerable to anyone who could steal or intercept it. However, data encryption uses complex algorithms to scramble plain text data and turn it into an unreadable string of numbers and letters. The user then relies upon a decryption key to unscramble the data and revert it to a usable form.
Data can be encrypted in one of three states: at rest, in use, and in transit. Encryption at rest protects your data where it’s stored—on your computer, in your phone, on your data database, or in the cloud. Encryption in use protects your data as it is being created, edited, or viewed. Finally, encryption in transit protects your data as it moves from one location to another, as when you send an email, browse the Internet, or upload documents to the cloud.
Each of these requires its own set of security protocols and best practices, and we’ll get to them all in turn. But for today, let’s start with data encryption in transit to see how you can keep sensitive information safe online.
Email: keep your communication private.
Unencrypted email is like sending a letter through the post without an envelope. Anyone can intercept it, read it, and even edit its contents. You have no guarantee that the message you receive is the same as the one that was sent to you
These days, most email providers use Transport Layer Security (TLS) encryption automatically to protect your outbound and inbound communications. However, for TLS to work, both your email provider and the email provider you’re connecting with need to have TLS enabled.
The good news is that most major email providers use TLS encryption. However, this didn’t use to be the case. Back in 2014, Google released data showing that they could only encrypt 65% percent of outbound messages and 50% of inbound messages using TLS. To encourage other email providers to improve their security services, Google announced it would start marking any emails that were going to addresses that did not employ TLS encryption.
Most major email providers, including Yahoo, AOL, and Outlook, already supported TLS encryption, and many others (most notably Comcast) quickly followed suit. However, you should check to be sure your current provider supports TLS encryption, and you should never send sensitive information via email to any address that does not also support encryption.
Secure Wi-Fi: don’t let your data be intercepted.
Most of us have popped into a coffee shop at some point to get some work done, either while travelling, for convenience, or simply to get a break from the office. If you’ve read our post about the dangers of public Wi-Fi, you know that an open connection puts your data at risk. But what about coffee shops that have passwords and secure WPA (Wi-Fi Protected Access) or WPA2 networks? Are they safe?
The short answer is: no. While WPA and WPA2 connections encrypt your data from outside users, that won’t necessarily protect your data from other users on the same network. Your data will still be harder to intercept than on an open network, but it is still possible for anyone with the right knowledge.
Instead, use the portable Wi-Fi hotspot on your phone, or connect via a VPN. You will still need to check your phone’s hotspot settings to ensure the connection is WPA2 secured, and you should set strong passwords to protect anyone from gaining access.
SSL: Are your websites all that they appear to be.
SSL protection helps encrypt data as it travels from a web server to your browser. Websites that don’t use SSL put their users at risk for man-in-the-middle attacks. You can tell if a website uses an SSL certificate if their URL begins with https instead of just http.
All websites that ask for sensitive information should be using SSL encryption. If a website asks for login credentials, payment information, or any personally identifiable information, such as a name, birthdate, or social security number without using SSL encryption, then they’re not following important compliance regulations for the handling of sensitive data.
Without SSL protection, any data you send to that website can be intercepted en route. What’s more, data that the website sends to your browser can be altered along the way, so that you have no way of knowing if the website you see is the one sent by the web server. Under these circumstances, a hacker could add something to the website to entice you to enter personal information, thereby gaining access to your credentials with neither you nor the website owner any the wiser.
Many website browsers have taken extra steps to flag websites that don’t use SSL protection by putting icons in the URL bar to indicate if a website is secure or not. You should secure your own website using SSL. More importantly, never enter sensitive data into a website that is labeled insecure.
Encrypting your data in transit is like putting it into an armored vehicle.
If encryption at rest is like storing your data in a vault, encryption in transit is like putting it in an armored car for transport. It’s harder to intercept, access, or transform. You have stronger guarantees that whatever you put into the armored vehicle will arrive to its ultimate destination without any tampering along the way. And most potential threats will go after an easier mark.
If you would like to learn more about how to protect your sensitive business information, contact us.