Encryption – everything you should know about it

Why encryption?

Encryption tools began to be talked about especially in the context of the GDPR. But be aware that encryption is one of the basic safeguards for both personal and company data. In my opinion, it is necessary for portable data devices.

Have you ever lost a flash drive or a recorded CD / DVD? It happens very often, it also often happens that we lend pendrives to friends or colleagues, on which there are already some files with a number of important or even very important data, whether business or personal (photos, research results)

Have you ever had your laptop stolen from a car while in a hipermarket? I know at least a few such cases.

Of course, you can have a car or property insurance, but we will only get compensation for the equipment, not the data. Importantly, anyone can access unencrypted data on such media or device.
What usually falls prey to data thieves? Personal data of employees, customers, suppliers, contracts, offers, orders, CVs of employees and job candidates … As you can see, this is both personal and business data. Loss of business data can mean a company’s financial loss.

Lack of one password and a loss of several hundred thousand zlotys

I can tell you a story that happened to me many years ago in one of the enterprises with which I cooperated. An offer for a delivery worth many millions of zlotys was prepared as part of public proceedings, on which the company was to earn several hundred thousand. The offer, as required, was submitted on time, but unfortunately it turned out that one of the competitors submitted an offer with exactly the price differing by exactly 0.4% in each item. It could not be an accident – because cases of this type are less likely than winning six in a lottery. Why did this happen? Well, the data with the offer was neither protected by any password nor encrypted. Someone “writing colloquially” stole the data and gave it to the competition. Such an event should not take place in the case of a carefully developed IT security policy (be it data encryption, DLP system or the development of proper access to network disk resources – preferably a set of these tools).

Life is one thing and legal regulations are another thing – let us recall what Article 32 GDPR says on the security of processing: “/ … / the administrator and the processor implement appropriate technical and organizational measures to ensure a level of security corresponding to this risk, including, but not limited to case: a) / … / encryption of personal data / … / “;

What encryption policy should you choose?

  1. What to encrypt? It is necessary to encrypt all portable data devices – notebook disks, pen drives, data CDRW / DVDRW discs. It is worth encrypting shared disk resources to which more people have access than it results from the need to share data.
  1. What to look for when implementing encryption tools? Free solutions are sufficient for home or one-man business applications. In the case of an organization employing at least a few employees, it is worth choosing a paid solution with a few important functionalities, i.e. with a central management console or password recovery option. It is also worth checking which algorithm the data is encrypted with. And in this case, if we pay for the solution, we are able to demonstrate (in the context of the GDPR and possible control – that this tool was actually implemented and that it protects data in a certain way).

What to look for when implementing encryption tools?

The solution should

  • be equipped with a central management module, preferably in Polish, linked to Active Directory so as to be able to manage users, permissions and system passwords from one place,
  • allow sharing of encrypted resources (i.e. the project team has access to the sample offer file),
  • allow encryption using additional security features, such as fingerprints and chip cards,
  • encrypt files, folders, mail and allow sending encryption information with another communication channel (e.g. SMS),
  • allow you to manage the sharing of encrypted files thanks to encryption keys and manage users when they are outside the company (e.g. password recovery),
  • allow you to obtain a rescue version (e.g. a disc in the event of a hardware failure allows you to decrypt the disk on another computer),
  • be a system option that allows data to be encrypted and placed in ‘recipients’ of communication boxes without using e-mail systems.

So the answer whether it is worth encrypting data is obvious … worth it, because lack of encryption can cost. And I do not want to duplicate here information about potential penalties arising from the GDPR, but we should realize that “regretting” the amount of 100 zlotys per year per position, we may lose several (several dozen, several hundred) thousand zlotys.

Do you encrypt your data?

Author: Przemysław Kucharzewski