Sensitive information needs protecting from unauthorised access. Paper records such as staff details can be locked away. Information held electronically needs to be encrypted, the device it is held on may also need to be encrypted to provide another layer of security. For encryption to work, the key used to encrypt the data has to be secret and stored securely. If someone else knows it, or can easily guess it, they can get access. Also, keep all keys in a safe place. If a key is lost, you lose access!
Desktops, Laptops, Mobiles Phones and Tablets – enable encryption option or use software such as BitLocker.
Files and Databases – encrypt data and store it in restricted areas of the network
Backups – if they are done to the Cloud check that data is being encrypted during transfer and at rest using 256-bit AES encryption. You may also want to encrypt the data before it is backed up. If backups are being done to physical devices have a password on the device or file, or encrypt data on the device
Website – use HTTPS connections
If you have the necessary encryption in place will your information be protected? Yes…and No. It is protected against anyone that manages to access a file or database from a backup or a stolen device, but not from a hacker that has got into a system with the level of access used by applications to read or write data. The hacker will have the key to decrypt the data and will be able to copy, modify or destroy it. This does not mean encryption isn’t worthwhile. It is needed, but is only effective when it is part of a security strategy that has other defences such as reviewing who has access to restricted areas of the network, ongoing penetration tests and intrusion monitoring to detect unexpected access attempts.