Every business operates with some level of encryption in their organization. Not many have documented standards for use. Here's what you need to know about encryption to discover the "chinks in your armor" and to optimize your end to end encryption.
Encryption is like cryptography. It uses mathematical algorithms to scramble messages. Only individuals who possess the sender's key are able to decode the message.
Encryption Comes In Different Types
- Individual file and folder encryption -- encrypts specific items. This method should only be used when a few business documents are stored on a computer.
- Volume encryption -- this type creates a container that's fully encrypted. All files and folders created in or saved to that container are encrypted. OneDrive "Personal Vault" is an example of this.
- Full-disk or whole-disk encryption -- the most complete form of computer encryption. It's transparent to users and doesn't require them to save files to a special place on the disk – all files, folders and volumes are encrypted.
- End-to-end encryption -- while the other types above are for "data at rest" end-to-end encryption is for "data in transit." It's goal is to secure data at both ends while it's being communicated between users.
Microsoft BitLocker is a disk encryption tool included in Windows operating systems. It's designed to work with a Trusted Platform Module chip in your computer. That's where the encryption key is stored. It's possible to enable BitLocker without the chip, but a few settings must be configured and it requires admin privileges.
Go to Control Panel > BitLocker Drive Encryption.
Click “Turn on BitLocker” next to the drive you want to encrypt.
Enter a long and varied password.
IMPORTANT: Make a backup of the recovery key using one of the displayed methods.
Choose whether to encrypt used disk space only (faster) and start the encryption process.
When BitLocker is enabled, Microsoft will prompt you to save a copy of your recovery key. You need the recovery key to unlock your disk. Without the key, neither you nor anyone else cannot access the data. You can either print the key or save it to your Microsoft account or a file.
BitLocker also lets you require a PIN at startup.
Apple FileVault is built-in encryption for computers running Mac OS X.
Go to System Preferences > Security & Privacy > FileVault.
Click “Turn On FileVault…”
IMPORTANT: Make a note of the recovery key that is displayed and store it away from your Mac. You're prompted to save it in your iCloud account, but you can choose to write it down instead.
Wait for encryption to complete, but it’s OK to continue using the computer.
Less Than 50% Have End-to-End Encryption
Only communicating users can read the messages. In its simplest terms, that's what end-to-end encryption ensures. In theory, a third-party should not be able to decrypt messages that are protected by end-to-end encryption.
Encryption is a part of any organizations data protection policy. While most applications have encryption standards, many apps and services don't have to comply.
As a result, knowledge workers end up sending some messages protected by end-to-end encryption while other messages they send are not.
One example of this is Microsoft Teams and Zoom.
Teams provides end-to-end encryption with 256-bit Advanced Encryption Standard (AES). It comes with your Office 365 license.
However, Zoom, being a stand-a-lone product, has yet to offer end-to-end encryption to all users.
An update in June on Zoom's blog says that end-to-end encryption services are currently being drafted and that the company has identified a path forward.
A Laptop is Stolen Every 53 Seconds
In the time it takes you to read this sentence, another laptop just got stolen. Even though media reports tend to focus on big data breaches orchestrated by anonymous hackers, physical device theft is still a legitimate concern for businesses.
According to many employee surveys, cars are the most popular place for device theft to occur.
Proper encryption of device drives will ensure that the damage done by a thief doesn't go beyond replacing the hardware.
How WiFi Encryption Works
Hopefully, business owners know that they need to password protect their WiFi network.
Having some level of encryption is better than none, but not all WiFi encryption is the same.
WEP, or "Wired Equivalent Privacy" was the first widely-used WiFi encryption method.
It became the standard back in 1999. However, as computing power has increased, WEP's flaws have become easier and easier to exploit.
Today, even novice hackers can crack WEP passwords in minutes using freely available software.
Around 2003, Wi-Fi Protected Access (WPA) became the answer to WEP's weaknesses.
Two of the major improvements with WPA were message integrity checks, that determine if an attacker has captured or altered packets passed between the access point and client, and the Temporal Key Integrity Protocol (TKIP). TKIP was the predecessor to the current Advanced Encryption Standard (AES).
WPA has been shown to to be vulnerable to intrusion. Most hackers do not attack WPA directly. They instead go after the Wi-Fi Protected Setup (WPS), a supplementary system which was designed to make it easy to link devices to modern access points.
In 2006, WPA was officially suspended in favor of WPA2.
To crack WPA2, a hacker must already have access to the secured Wi-Fi network to then gain access to certain keys. Once the keys have been acquired, attacks can be made on other devices on the network.
While WPA2 is not completely secure, breaking into it requires experience and considerable effort.
Although the safest WiFi encryption option for your business is WPA2 + AES, every WiFi network should be treated as a legitimate security concern.
Running a secure email service is another area that organizations should take seriously.
Microsoft 365 emails are encrypted by default and do not require any additional third party services to do it.
There are some additional settings you should be aware of that can secure your email even more. If you're a business owner using Outlook, contact us to find out how to keep your email data secure.
Accessing PC and Server Data
Password protecting a computer does not mean that it can't be accessed.
Our security systems engineer, Joe Beineke explains it this way:
Encryption for Mobile Devices
If someone picked up your phone and started going through your photos and messages, you would feel vulnerable and awkward.
But your phone might be sharing your private data in the background all the time without your knowledge.
Here's how to encrypt your iPhone.
- Go to Settings > Touch ID & Passcode.
- Press “Turn Passcode On” if not already on.
- Press “Passcode options” to choose a custom numeric or alphanumeric code (recommended).
- Confirm your device is encrypted by scrolling to the bottom of the Settings > Touch ID & Passcode screen.
How to encrypt your Android device.
Plug in the device to charge the battery (required).
Make sure a password or PIN is set in Security > Screen lock.
Go to Settings > Security.
Press the “Encrypt phone” option.
Read the notice and press “Encrypt phone” to start the encryption process.
Remember to keep the phone plugged in until complete.
Encryption Best-Practices Summary
Encryption doesn't necessarily protect your system from weak network security controls. In other words, disk encryption is only a part of the protective suite, but a vital one.
Ironically, while encryption plays a key role in protecting your business from bad guys, it is also the main weapon used by hackers to infect your with ransomware.
- Don't assume that because your computer is password-protected it is encrypted.
- Work with your IT Support Provider to create an encryption standard across your organization.
- Use built-in encryption on your personal and work devices as a minimum defense whenever possible.
- Take extra precautions to secure your email communications.
- Use messenger and chat apps that provide end-to-end encryption.
Need help creating an encryption standard for your small business?