Share what you know with millions of people
Focus is the best place to turn what you know into remarkable content
0
How should businesses decide what to encrypt? Where should you start?
Events
- Dos and Don'ts of Small Business Marketing May 29 @ 11 am PT
- Lead Nurturing 202: The Next Generation May 31 @ 11 am PT
- The Tricks to Paid Media June 6 @ 11 am PT
- Display Advertising for Brand Awareness June 20 @ 11 am PT
Related Activity
3 Answers
Start with encrypting any/all information that is security-related. For example, passwords to enterprise applications. Then think about data you don't want to be viewed by anyone who happens to accidentally receive it via email such as payroll records and HR correspondence. Then think about personally identifiable information belonging to customers and business partners. Continue the process to incorporate any legal and regulatory considerations...
The first question should be "If this data were released on the Internet tomorrow, would my business be in trouble ?"
If that answer is yes, then the second question should be "Will it cost me more to get out of trouble, or cost more to have all of this data encrypted all of the time ?" There definitely is a cost to maintaining encryption systems.
If it costs you more to get out of trouble with unexpectedly released data, then you should be encrypting that data.
First, and most important, you must have a written security policy and plan that incorporates a risk analysis and management strategy. This needs to be periodically updated. Within that you should categorize data according to the threats and risks of unintended disclosure. Encryption should be considered for data where unintended disclosure has significant business consequences, especially if individuals' privacy is involved. There are also Federal, state, and local regulations that mandate encryption as part of privacy protection for certain types of business and personal data.
Encryption is just one of many strategies to mitigate risks of disclosure. While it does provide confidentiality, the main cost is computing capacity. Depending on your computing and network configuration, and other data-protection strategies, adding to your existing computing demands -- which may require an equipment upgrade -- may be an unnecessary added expense. Regulatory compliance may require it, regardless.
Even if you decide to not encrypt your local data stores, you should encrypt all network traffic if it contains business-sensitive data. You should also encrypt remote backup copies of data. But keep in mind that the end-point destinations may produce unencrypted data that can be captured via screen-prints, print-outs, or downloads. Proper treatment and discarding of sensitive data needs to be part of your end-user training and security enforcement procedures. And do not display unencrypted data to users who do not have a clear need to see it.
The encryption algorithm you choose is important. Some earlier cyphers can be broken, so I would recommend Triple-DES or -- even better -- AES 128 or stronger. FIPS 197 and FIPS 140-2 standards must be followed if you must follow Federal information processing rules. Conformance with US healthcare security is one example.
Answer This Question