What Data Should Your Company Encrypt?

OCTOBER 3RD, 2017
Nothing gets the attention of business leaders and the IT department like a good, old-fashioned cyberattack. Over the past couple of years, we have watched large companies such as Home Depot, Target and most recently Equifax deal with the fallout of massive data breaches. The attack on Target hit home when a close contact realized thieves had used his debit card to make $1300 in fraudulent purchases. Thankfully, a call to the credit union helped restore the missing funds, but successful attacks like these can erode customer confidence and tarnish a company's reputation. A few weeks ago, when researching various encryption strategies, we came across an article touting IBM's new mainframe. IBM makes a lot of big iron that work behind the scenes, handling large amounts of data. One new model IBM added to its Z line of mainframes encrypts all data in real time. And by all, they mean everything.
inline
IBM claims the Z can encrypt all the data associated with an application or service, whether it's in transit or residing in a database. Until now, IBM did not have the processing power to handle this type of encryption in real time. Given that IBM's transaction engine handles 87 percent of all credit card payments, one can understand IBM's desire to secure all data. IBM has its reputation to protect. IBM certainly is not the only company working on data security; it just happens to be one making a lot of promises today. Even under ideal conditions, it will be a long time before most companies can comprehensively encrypt their data. In the meantime, businesses need to upgrade both hardware and software to make this happen, and that will take years. So how do you decide what to do in the meantime? In this post we’ll discuss what types of data you should encrypt. We will also look at several best practices to help you minimize the chances of a security breach.

What is Encryption?

Data encryption takes a chunk of data and translates it into a new form so that only the people with access to the key can read it. We often refer to encrypted data as ciphertext and to unencrypted data as plaintext. The purpose of data encryption is to protect digital data confidentiality. As you might imagine, protecting data has become an important concern for companies with the explosive growth of data volume and with employees carrying large amounts of confidential business data around with them on their laptops and mobile devices. As companies and their employees also interact more often with cloud services, a lot more data is moving outside the walls of the business. The proliferation of data and the ability to move it around from one device to another has helped companies meet today's business needs. But data mobility gives thieves several entry points to the data that IT departments are attempting to keep safe. As you dive deeper into the topic, you will learn more about the two types of encryption: symmetric and asymmetric. In simple terms, symmetric encryption is the oldest and most well-known technique. It uses one secret key to encrypt and decrypt the data. Both the sender and receiver know the key. Asymmetric encryption is a newer method and some also refer to it as public key cryptography. It uses two keys instead of one: one public and one private key. The public keys allow anyone to send you information. But only you know your private key. If you're interested in learning more about symmetric and asymmetric encryption, here's an article from SSL2BUY that goes into a lot more detail.

What Should You Encrypt?

In broad terms, there are two types of data you should encrypt: personally identifiable information and confidential business intellectual property.Personally Identifiable Information (PII)PII includes any kind of information another person can use to uniquely identify you. This includes your driver's license or social security number. Thieves may use this information to steal your identity, which then allows them to move onto bigger crimes such as applying for credit cards and loans in your name. One recent attack on HBO allowed hackers to gain possession to many programs such as the popular Game of Thrones. What some media outlets didn't report is that the same group stole personal information on actors starring in HBO shows. A larger but similar attack at Sony Pictures in 2014 leaked information that included actors’ salaries per film. Combatting such attacks takes efforts on many fronts. PII resides on employee phones, tablets, and laptops, so those devices and their storage should be fully encrypted. Modern business practices such as BYOD can make this a challenge, but you need to do it. Thieves who run into barriers accessing backdoor exploits often turn to using employee credentials and passwords, so they can enter through the front door instead.Confidential Business & Intellectual PropertyIf you watched any of the debates leading up the U.S. elections, you may remember Donald Trump taking a hard line on China for stealing intellectual property belonging to American businesses. Today, President Trump is still going after China, claiming the Chinese government requires U.S. companies to work with local companies to gain access to the massive Chinese market. Trump states those local companies, in turn, make off with intellectual property that belongs to the United States. On a smaller scale, consider the data your employees access each day on your customers. Consider the plans for your new product and an upcoming marketing blitz. Would your competitors benefit from knowing the names of your top 20 clients? There is an old saying that crooks break into banks because that’s where the money is. Well, today's digital thieves break into companies because that’s where the most valuable data resides. If you cannot afford to encrypt everything, what types of data should you prioritize?Customer Information: Banking and healthcare industries are subject to regulations that govern the protection of consumer information. Special data protection regulations apply to you, if this is your business. Even if your company operates outside those industries, you still need to take this seriously, as companies like Target and Home Depot found out. Make protecting customer data a top priority because your reputation depends on it.Financial Reports: Most companies keep these close to the vest. Make sure you have consolidated a location and then encrypt it. Limit access to this location to only those who need it.Product Release Documents: How many people at your company are walking around with an Excel document on their laptops that contains your product release schedule for the next 24 months? Thieves target business travelers and their laptops for the information they carry as much as for the hardware itself.Research and Development Data: This is a tough one because companies often distribute this data around the company. Not every company invests heavily in this area, but if you do, protect it using encryption. Each company produces its own trove of valuable information. You may need to consider encrypting all email and legal documentation. For example, at Microsoft, every laptop that had access to a team's financial or product release schedule had to use BitLocker drive encryption. Microsoft IT later rolled out the requirement to the entire company. You should assume your employees have confidential data about your company's products and customers and encrypt accordingly.

Conclusion

Until we reach a time when every company possesses the tools to encrypt all data, each of us must make important decisions on what to encrypt and what not to. If you are having a difficult time deciding if you should encrypt your data, ask yourself, if the data were on paper, would you shred it before tossing it? Or, if you accidentally leaked the data on the Internet tomorrow, would it cause harm to your employees or customers? If you answered yes to either question, you should strongly consider encrypting it. What encryption practices have you used to keep your company's data safe?