Skip to content
English
Visit our website
  • There are no suggestions because the search field is empty.

Encryption: A Guide

Encryption of sensitive data is a foundational part of cyber security practice. Good encryption coverage deters cyber criminals, and protects sensitive data from falling into inappropriate hands, inside and outside your organization.

What is encryption?
Encryption is analogous to a secret code, rendering data unreadable to unauthorized individuals. It is an operation performed on data to create a fundamentally unreadable 'version' of the initial data. This new format can only be read by those who are authorized and have the key to unlock the data set. The purpose of encryption is to prevent unauthorized data access by cyber criminals or other users within the organization.

Does encryption come at a cost?
Implementing encryption comes at an operational and performance cost. Consider the cost related to software, hardware, training, and potential productivity impacts, and ensure the solution is compatible with existing IT infrastructure. Your IT team will be able to help you consider your options. Once you have made a choice, make sure that the decision (and contributing decision makers) is documented in your cyber security strategy so it can be referred back to accurately.

Full vs partial encryption.
Full encryption offers comprehensive protection, while partial encryption enforces encryption of specified table columns/rows. Full encryption may only be necessary for highly confidential information, while partially encrypting may be more suitable for less critical data. Assess whether IT resources are appropriate for full encryption. It is common to have data sets that include both data that must be protected and data that does not need to be fully encrypted.

Encryption and privacy regulation.
Encryption can be mandated at law, depending on your sector and regulatory obligations. You should be aware of any requirements to encrypt and prioritize the relevant data types for encryption urgently. For any encryption relating to compliance, your organization should check whether there is a robust process for reviewing all relevant data and ensuring that it has been correctly encrypted. Check with your security team, including and in house legal counsel, about your privacy obligations.

Encryption and assessment.
Any assessment process for cyber risk will likely ask questions about whether you are encrypting data in specific areas. An assessment will likely ask about "in transit" and "at rest" data, sensitive PII and regulated data types (e.g. HIPAA data), and the encryption status of your backup files. Failure to demonstrate adequate encryption in these areas may have a detrimental impact on any assessment process for compliance audit, funding eligibility or insurance coverage.

We don't host any data - we can't encrypt anything.
If you have transferred data storage to a third party, you are still ultimately responsible for how that data is handled and stored, because you chose to engage a third party and are responsible for instructing them. When selecting a third party make sure encryption of sensitive data is a criterion you factor into your selection. When working with them, make sure you are clear about your expectations for data encryption and check that they are meeting your expectations.

If you have engaged a third party to manage your data storage, seek a written statement about how they handle your data, and submit it as supporting documentation to you insurer or auditor when requested.

Additionally - are you sure that no one in the organization has PII or HIPAA data stored locally on their device or in a shared piece of software? You should have policies in place for who is and is not permitted to handle sensitive data, and how it should be stored. Encryption helps prevent data being lost through bad habits or ignoring secure data handling practices.

Checklist
When implementing encryption, consider the following:

  1. What encryption approach is appropriate for the existing set up and budget?
  2. Ensure a plan for encryption includes approaches for:
    1. Your backup files
    2. PII
    3. Regulated data types (e.g. HIPAA)
  3. Is full encryption required everywhere, or will partial encryption suffice?
  4. What are the encryption requirements for compliance in your sector and jurisdiction?
  5. If you have engaged a third party provider, have you instructed them in your encryption
    requirements and received a written confirmation of the steps they have taken?