How Encryption Protects Sensitive Data

How Encryption Protects Sensitive Data

Many people learned about encryption due to the rise of ransomware attacks. Hackers use encryption to effectively “scramble” a user’s files so that they cannot be read without the correct encryption key. The hackers then demand a payment, usually in Bitcoin, in exchange for the key needed to unlock the files.

But while encryption is used as a weapon in a ransomware attack, it is more appropriately used as shield against the risk of a costly and embarrassing security breach. When sensitive data is encrypted, hackers won’t be able to read it even if they are able to steal or intercept it.

The growth of the cloud and mobility, along with the rising tide of security threats, are among the many reasons why organizations need to encrypt data. Encryption can protect “data at rest,” whether it’s stored on in-house systems, portable media such as thumb drives, or mobile devices. Encryption is also used to protect “data in motion” as it’s transmitted across networks, sent via email and moved to the cloud.

Organizations in regulated industries have a strong incentive to encrypt data. For example, healthcare organizations subject to HIPAA must notify affected individuals, the Department of Health and Human Services (HHS) and in some cases the media if there is a breach of protected health information (PHI) that is “unsecured.” This does not include PHI that has been rendered “unusable, unreadable or indecipherable to unauthorized individuals” using an encryption method approved by the HHS. In other words, encrypted data is not subject to HIPAA breach notification requirements.

The healthcare sector isn’t the only industry that promotes encryption. Under California’s Security Breach Information Act and similar regulations enacted by a number of other states, companies must disclose even suspected security breaches to all individuals who potentially are affected. Encrypted data is exempt, however.

The Payment Card Industry (PCI) Data Security Standard (DSS) requires the encryption of stored account information — a rule that potentially impacts any merchant that accepts credit cards. It also requires that merchants follow best practices with regard to encryption key management. PCI DSS Requirement 3.6.2 mandates “secure cryptographic key storage,” which generally means that encryption keys must be encrypted themselves.

Many organizations operate under the assumption that encryption is complicated and makes finding and retrieving information more difficult. There’s also a measure of risk — if the encryption key is lost or corrupted, the encrypted data is lost along with it. It sounds a little too much like ransomware.

Now, however, there are a number of solutions that simplify and streamline the encryption process. Verteks can help you take advantage of:

  • Datto Drive, a cloud-based file sync and share solution that automatically encrypts data at rest and as it travels to and from the cloud
  • Datto NAS, an onsite storage device that features end-to-end encryption
  • Datto SIRIS 3, an integrated backup solution that allows for encryption on the local Datto appliance as well as in transit to the Datto cloud

Although encryption has gained a negative reputation in the context of ransomware attacks, it remains a powerful tool for protecting sensitive data, meeting regulatory requirements, and preventing a costly and embarrassing security breach. Contact Verteks if you need help selecting and implementing an encryption solution.


Just released our free eBook, 20 Signs That Your Business is Ready for Managed ServicesDownload
+