Image of hard drive with USB sticks and a lock on top representing encrypting data at rest.

The When, Where, and How of Encrypting Data at Rest

Encryption at rest can protect your data, even if someone steals it.

Data security comes in many forms. In order to keep your business safe from a security breach, you need to protect your data from destruction, spying, and outright theft. Protecting yourself requires different lines of defense, and at the forefront of these is data encryption.

We recently discussed encryption in transit and how to guard your data from unauthorized interception. However, encryption at rest protects your data wherever you’ve stored it, whether that’s on your hard drive or in the cloud. For instance, if an employee’s laptop is lost or stolen, whoever gains possession of that laptop can access the data by booting through a thumb drive, even if they don’t know the login password. But, if the hard drive has been encrypted, then all that data just looks like a long string of nonsense words.

Are there any downsides to data encryption?

Given the obvious security benefits, you may be wondering if there are circumstances under which you might not want to encrypt your data. The two traditional disadvantages of encryption have been slower performance and the costs of key management. If your computer has to run encryption processes in the background while you use your computer, it could slow down processing speeds. And if you lose your decryption key or forget your login information, then you might have locked yourself out of your own system.

However, with improvements in computer technology, the former of these concerns is less significant. Most of us do not use the full processing power of our computers at any given time, meaning that encryption won’t noticeably impact performance for most users. And while key management is a concern, you can also set up recovery processes that will allow you—or someone with equal or higher security access at your company—access to the decryption key.

What data needs to be encrypted?

Not every piece of information needs to be encrypted. However, anything that contains customer information or anything that might compromise the health of your business does. For your business, that could include invoices, production plans, patents, bank transactions, or tax information.

For your customers, that includes username and password information, as well as any information that could be linked to an individual, such as driver’s license numbers, social security numbers, and credit card information. Failing to protect this information can result in compliance violations and could lead to a law suit.

With that in mind, how can your business use encryption at rest to keep this data safe?

On your computer.

When encrypting data on your computer, you can choose to encrypt your entire hard drive, a segment of your hard drive, or only certain files or folders. Many operating systems come with built-in full disk encryption. Windows uses BitLocker at the pro or enterprise level, while MacOS offers FileVault to all users. Users will need to enter their password every time they login to decrypt their data, and they will need to store a decryption key in a safe location off their computer incase they need to regain access.

On your phone.

The more we use our phones for business, the more likely they will carry sensitive data, or provide access to sensitive data. While this can be convenient, it also provides a new way for hackers to gain access to your data. For this reason, you will either need to assess the way employees access data on their phones to restrict access to this kind of data, or else you will need to enable encryption on your mobile devices.

Many phone operating systems, including iOS and Android, come with encryption options. As with the computer, users will need to type in their PIN or other access code every time they unlock their phone. However, this will protect data on the phone should it get lost or stolen.

In the cloud.

Data on the cloud is more secure from physical threats (you can drop your computer in a river and it won’t be lost), but it can still be compromised if it gets into the wrong hands. Most popular cloud storage solutions, such as Google Drive and Dropbox, will encrypt data. But malicious agents can still gain access if users choose weak passwords, or if the passcode is intercepted.

To protect your cloud drives, first ensure that the cloud provider of your choice uses encryption. Then make sure you use a strong password and enable two-step or multifactor authentication. This means that, even if a hacker intercepts your login password, they won’t gain access to your drive without also having access to something else which is independently linked to you, such as your mobile phone.

Data encryption won’t protect you from ransomware or other security threats.

Just because you encrypted your data doesn’t mean it’s safe. Ransomware attacks don’t need to read your data to prevent you from accessing it. In fact, many of the most sophisticated ransomware programs use encryption as part of their attack. Instead of simply locking you out of your system, they encrypt your data and demand payment in return for the decryption key.

Because of this, you can’t rely on encryption alone to protect your business assets. You will still need to follow password protocols, set up firewalls, and install monitoring software to detect any malware that slips through your system.

However, encryption in transit will make your data harder to intercept, and encryption at rest will make it worthless to anyone who manages to steal it. So, to avoid costly and dangerous data leaks, follow secure password protocols, and encrypt your data where possible.

If you need help securing your data, we can help your business determine the best encryption practices to follow. We can also help you manage your passwords and encryption keys so that you don’t have to worry about losing access to your data. Contact us to get started.