This is the fourth in a five part series examining simple ways to protect your data from data breach and data loss, all without costing an arm and a leg. Part 1 of the series can be found here. These posts come from material that we present in our “Protecting Your Data” seminar for businesses. The presentation also has 1 hour of CLE credit from the Alabama Bar Association. Contact us to schedule a presentation or to find out when one is being offered.
What is Encryption?
Encryption is the process of encoding information into a format that only authorized people can access. Encrypting information means it will be unreadable if it is hacked or intercepted. There are many different encryption schemes and algorithms commonly used today, such as SSL/TLS, which is used for securely communicating on the internet.
What Does This Mean For Me?
Passwords, anti-virus, and patching are not sufficient protection for you data. Unless you have encrypted your data, it is at risk. If someone steals your unencrypted data, you are liable and can look forward to fun things like fines and lawsuits. Data breaches usually occur because of theft or loss. Don’t just think that this happens to laptops; desktops and USB drives are also targets. Modern USB drives are small and can store an incredible amount of data. If you are using USB/thumb drives you should be encrypting them.*Now, you may be thinking that you have a password, and that is good enough. Unfortunately, it is not. If your only protection is a password, then a skilled person that has access to your computer for any significant length of time (10+ minutes), can access anything they want, even copy the entire hard drive. Encrypting the data in some manner is designed to foil this attack and keep your data safe.
Types of Encryption
You are generally only going to be choosing between two types of data encryption. They are: File Level Encryption and Whole Disk Encryption.
File Level Encryption
As you might gather from the name “file level encryption”, this type of encryption is designed to encrypt individual files. The main drawback to this type of encryption is that it is a highly manual process, for most solutions. Generally speaking, the user must specify the files to encrypt and anytime they want to access them they must enter a password to decrypt them. This is perfectly fine for something that needs to be done occasionally, such as emailing something sensitive. However, for things that are accessed frequently, the lack of transparency is likely to lead to user frustration and rejection.Recently, some programs have come to market that attempt to deal with the ease of use issue in order to make this encryption method more palatable for users. We expect to see even more of these come out in the future as encryption becomes more mainstream and pushed by more regulatory and oversight agencies.The big advantage to file level encryption compared to whole disk is that the item is not decrypted until it is accessed. So even if an attacker were to gain access to your system while it is running, the files would be encrypted and therefore be “safe” from data theft.
Whole Disk Encryption
When using whole disk encryption the entire disk is encrypted. It decrypts during the computer’s boot process, via either a password or a special chip inside of the computer. If the chip is not present, or the password not supplied, then the computer will not boot and the entire drive remains encrypted. Once the drive is decrypted it will remain that way until shutdown or reboot. In the past, implementing whole disk encryption noticeably slowed down computers, however that is no longer the case for most modern solutions.This form of encryption tends to be the preferred method for most individuals and SMBs. It is pretty much a “set it and forget it” solution. The one major drawback, as previously mentioned, is that if an attacker were to gain access to your system while it is powered on, they could potentially access all your data. A good operating system password, as discussed here, will go a long way to preventing this kind of problem from happening. This type of encryption does NOT protect you against malware attacks gaining access to your data. For that we recommend a good anti-virus program, discussed here. For very sensitive data you might consider file level encryption on top of whole disk encryption.Certain versions of Windows 7, 8 and 10 have Bitlocker built in (free!), which is Microsoft’s whole disk encryption program. If your Windows version does not have Bitlocker there are other options that can be purchased or downloaded for a reasonable price. Macs have FileVault 2 built in (free!) to allow you to encrypt your drives.
Go Forth and Be Secure
Now that you understand the importance of encryption we hope that you will start to implement it. You should definitely encrypt all laptops and USB drives and it would be a good idea to encrypt your desktops as well, if feasible. Something to remember is that if you forget your encryption password, then no one, not even the government, will be able to recover your files, so make sure you either won’t forget it, or it is stored in a safe place. We keep our encryption keys in our password management tool, LastPass, along with our passwords (we discussed the benefits of this here), but you can always write yours down and lock them up – that’s fine too.Before starting the encryption process we recommend that you have a good backup of your system, just in case something goes wrong. We discuss backup here.If you feel that your technical skills are not up to doing this yourself, or you have any questions, then contact us for a free consultation.* HIPAA, PCI and other regulations or agreements require data to be encrypted. If you are governed by HIPAA you have to report any breach of patient data, unless that data was encrypted. If patient data is encrypted to industry standards, then you are free and clear. The FTC has recently become more active in cases of data breaches for entities that are not governed by other agencies. They can and do levy fines against companies that experience data breaches and have not taken reasonable and prudent measures to prevent it, including data encrypting.