In this article
Security measures used to be easy. Put a lock on your filing cabinet, store important documents in a safe, and be careful about who knows the combination.
Not anymore.
The data your company uses is one of the most valuable and sensitive assets available to you — and it’s at constant risk from cyberattackers. Wherever you store your data, it’s important to have a good encryption process to protect it, both ‘at rest’ and ‘in transit’.
Here, we’ll take a look at data at rest encryption and how you can use an encryption strategy to defend yourself from ransomware attacks, phishing, and more.
What is data at rest encryption?
Data is considered to be ‘at rest’ when it is not actively being used or transmitted from place to place. When not at rest, data is known as ‘data in transit’.
Data is considered ‘in transit’ when it’s being carried from network to network, or from one part of a network to another (for example, if it’s being sent from one team member to another’s mobile device). Data in transit can be protected by end-to-end encryption, keeping it secure on the journey.
Data at rest, meanwhile, is usually encrypted in its location, such as in a data warehouse. To access and read the data, users will need an application or tool configured with the encryption key.
Data protection is different to security or privacy. Here’s what you need to know.
How to encrypt data at rest
Data is encrypted through complicated algorithms known as ‘encryption ciphers’. A cipher turns plaintext data into a series of seemingly-random characters called ‘ciphertext’. Once encrypted, the data cannot be deciphered without the encryption key.
Let’s take a simple example, using ROT13. ROT13 is a cipher where you replace each letter with the 13th letter after it. So the phrase ‘this is a secret’ becomes ‘guvf vf n frperg’. The algorithms used to encrypt data at rest are much more complex, but the principle is the same.
That means even if someone did get hold of your phone answering service data, they wouldn’t be able to read your customer’s details — it would simply look like nonsense.
3 things SME owners should know about data encryption
So, what do you, as an SME owner, need to know about data encryption? Here are three of the most important things to understand:
1. Encrypted data can still be hacked
It is much, much harder for attackers to utilise encrypted data. But it’s not impossible. Data is still vulnerable to insider attacks (where it may be decrypted via authorised users, either through malice or error).
Encrypted data can also be decrypted through brute force (in which an attacker goes through decryption possibilities and combinations until they hit upon the right one) or cryptanalysis (which involves analysing the encryption algorithm for vulnerabilities).
So, don’t be complacent — consider implementing extra measures, like a data clean room for sharing data, and regular employee training to prevent human error.
2. Not encrypting your data could put you at risk of non-compliance
Authorities and regulatory bodies take business data security very seriously. Under regulations like the APA 1988 and the GDPR in Europe, poor data security could land you in hot water — even if you haven’t experienced a data breach.
So, a strong encryption strategy will not only keep your data safe. It will also keep you on the right side of the authorities.
3. Encryption doesn’t mean your data is inaccessible
Don’t worry, you can make client data safer without making it harder for your staff. Transparent Data Encryption (TDE) ensures that the data remains accessible to anyone with the right level of access, and through authorised tools.
This also acts as extra protection — your employees don’t need access to encryption keys in order to use the data. Additionally, integrating a strong digital address book system into your encryption strategy can further streamline access management and enhance overall data security.
Data at rest encryption best practices
Protect the encryption key. Good key management is vital — keep keys and data separate, regularly switch out keys, and implement secure access protocols. Choose the right encryption method/service. There are several choices available when it comes to encryption at rest, so make sure it fits your needs.
Encrypt even slightly sensitive files. Don’t scrimp out on any element of your business’ cybersecurity, especially not encryption. If you’re not sure whether or not something needs to be encrypted, err on the side of caution and fire up that key.
Consider utilising secure document handling protocols even for seemingly innocuous documents like resume templates. These ‘apparently’ harmless files can contain sensitive information about your employees or your organisation once they have been filled out, making them potential targets for cyber threats.
Moreover, when encrypting data at rest, SME owners should also look into leveraging cloud storage solutions, which offer robust security features and seamless integration with encryption methods.
Additionally, incorporating specialised business software solutions tailored to encryption needs can streamline the process and enhance overall data protection measures.
Remember, maintaining data security is crucial for SMEs, especially when expanding into new digital territories such as starting an online store.
By leveraging these technologies, SMEs can strengthen their defense against cyberattacks by providing real-time support and guidance to users navigating security protocols.
Encrypt data at rest to protect your customers and your business
Data at rest is just as much at risk as data in transit. Encrypting it will help to protect it both from malicious attack and human error.
If you’re not sure what data to encrypt, we recommend taking the side of caution. Given how sensitive data can be, and how seriously many authorities take data security, full-disk security may be safer than simply encrypting particular files at rest.
Remember: encryption should be one part of a greater cybersecurity plan, and it relies on other tools like role-based access control and password protection to work.
Information provided in this article is of a general nature and does not consider your personal situation. It does not constitute legal, financial, or other professional advice and should not be relied upon as a statement of law, policy or advice. You should consider whether this information is appropriate to your needs and, if necessary, seek independent advice. This information is only accurate at the time of publication. Although every effort has been made to verify the accuracy of the information contained on this webpage, MYOB disclaims, to the extent permitted by law, all liability for the information contained on this webpage or any loss or damage suffered by any person directly or indirectly through relying on this information.
Contributors
MYOB Subject Matter Experts