Sensitive information every business should keep encrypted.
A recent study by Sophos indicates that 87% of the organizations surveyed encrypt their data to some degree. They know it’s crucial to protect proprietary company data. But what other types of data are they encrypting?
If it’s sensitive data, a business should encrypt it. It’s one of those answers you know is right, but you don’t like hearing. The truth is that the type of business you run determines the data you create, use, and store. The best way to approach deciding about encryption it is to ask if the data has the following characteristics. If it does, you should keep it encrypted.
Here’s What’s Sensitive
- Your confidential business data – It’s likely most of this data falls under no compliance regulations. The irony is that it’s often the target of attacks. It could be worth billions of dollars. Why wouldn’t you want to encrypt this data? It keeps trade secrets, business intelligence, sales data, and research out of the hands of those who want to sell it to your competitors.
- Accounting data – The Sarbanes-Oxley Act regulates the reporting of financial data by public companies. It requires stringent and auditable data security measures. Encryption is the best way to comply.
- Government data – All U.S. governmental agencies are required to follow FISMA guidelines to protect data from security breaches. Does your company work with a government agency? You risk more than losing them as a customer if that shared information is compromised. Information about government programs falls under these regulations.
- Health data – The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services to develop regulations protecting the privacy and security of certain health information. The Act was updated in 2013. Health insurance data, medical information, and identifying information such as home addresses or social security numbers must be kept private. It’s a requirement if it’s reasonable and appropriate to encrypt the information. If you’re audited, be prepared to demonstrate why you believe encryption isn’t necessary.
- Financial data – This is any kind of financial data you store or use to do business with customers. It includes credit card information, bank account numbers and credit-related information. PCI DSS regulations require strict security measures for any company that deals with credit cards. PCI DSS stands for Payment Card Industry Data Security Standard. These are standards merchants must follow which includes encryption requirements.
- Individual data – If your company collects data that could be used for identity theft, you must comply with U.S. and international laws governing Personally Identifiable Information (PII).
Encryption and the Cloud
Encryption has to be a part of every company’s cloud strategy. The good news is that your cloud service provider is on top of the game.
Cloud encryption services can provide protection of your data wherever it is located in the cloud. The policies for what should be encrypted, though, start with you.
4 Questions about Your Data
You know it needs protection. Encryption is the best solution. To make encryption the foundation of your data protection strategy, you need to know your data’s lifecycle. Ask these four questions. They’ll help you uncover areas of threat.
1. How does data flow into and out of your organization?
2. How do your organization and your people make use of data?
3. Who has access to your data?
4. Where is your data?
Not Just What, but When
U.S. government laws and industry regulations mandate that sensitive data must be protected. Compliances and regulations for data security also apply to the state of data. It must be secure when it’s at rest, during transactions, and when it’s distributed through network connections.
The protection of data in its physical location and state has become even more important because of cloud storage and computing. All governments may not yet demand cloud encryption. Your industry may just be coming around to a strong push for it. You might find that the loudest demand for encryption protection is coming from your customers. This is because most sensitive data companies keep records of transactions with customers.
