You’ve been grinding it out to get through an endless list of compliance requirements. Each one seems more complicated and demanding than the one before it. Finally you get to the data encryption item and you breathe a sigh of relief.
This one’s easy. Yes, you encrypt your data. Check that off the list, stretch your legs, and move on.
Unfortunately, it’s not that easy.
You can’t simply say that you encrypt your sensitive data and count your work as done. What you don’t know about your encrypted data can hurt you. Let’s take a moment to go through the common aspects of data encryption that most organizations aren’t paying enough attention to.
How Long Can You Wait to Get Started with Compliance?
What Data Do You Have?
For all of your sensitive data to be encrypted, you have to know where it’s coming from, what you do with it and where it’s being sent to. This is more complex than you might expect, because it’s easy to assume you know where you get your data from. You have basic business processes that describe how data comes into your organization. But as you begin talking with people in your company and asking them about how they actually do their work, you’ll often discover that there are exceptions to the established norms you believed to be in place across the organization.
For example, Anne in Accounting is doing invoicing. Each month she goes in and generates bills, but some clients want to pay with a credit card. So Anne keeps a spreadsheet of credit card numbers on her laptop so that she can process those clients’ invoices each month.
Find out what data you actually have and where it is. Interview personnel from all departments and ask how they actually do their jobs and how they handle sensitive information.
Where Is Your Sensitive Data Hiding?
You’ve discovered that Anne in Accounting has been using her own method, but what about the person who used to be in her position? It may be that the previous person had also stored data in some location that no one knew about.
Understanding how your current people do their work is one thing. You also need to find the data that’s lurking out there that previous employees left behind.
Go through all of your systems, your laptops and workstations, your servers, and any other machine that stores data. Scan them all so you can identify all of your information and where it sits. Then either delete it or move it to a secure storage location while evaluating existing procedures to make appropriate changes.
What Counts as Sensitive Data?
“Sensitive information” is a fuzzy term that can mean different things to different people under different circumstances. So how do you define what sensitive data is for your organization?
There are varying degrees of sensitive information. The names of your products probably aren’t sensitive data, because they’re public knowledge. At the other extreme, you may be collecting credit card information, social security numbers, or driver’s license numbers — all of which are clearly sensitive information.
But there’s a middle ground that you need to think carefully about. A lot of people will overlook elements of personally identifiable information (PII) and assume they aren’t sensitive. I often hear clients say, “Oh, this is just their name, phone number, and email address. That’s not sensitive information.”
But consider the information you have, and imagine that you’re the reason that customers’ names, phone numbers, and email addresses are exposed to the public. How big of a deal would that be for your clients?
For some organizations, it would be catastrophic — especially if their customers don’t want to be publicly affiliated. But my guess is that your customers don’t want their PII leaked, simply because it’s their information and on principle alone.
Related: Don’t Tell Customers You Take Their Security Seriously
I’ve seen organizations shrug their shoulders at the scenario, then have their butts handed to them by their clients after a public data breach because their information was made public. Regardless of what data was publicly exposed, the fact that your organization is affiliated with a data breach of any type is enough to destroy the confidence clients have in your ability to protect any of their information.
Treat all of your PII as sensitive data and you don’t have to worry about how customers might react. It’ll be appropriately protected and won’t even be an issue.
Are Your Encryption Algorithms Strong Enough?
The big risk for any company is that somehow a bad actor gets onto your systems. If the data isn’t encrypted, they can simply read it. It would be like someone sitting down at your computer when it isn’t locked and reading your emails.
Look at the encryption algorithms you’re using to store information. Make sure you have the information stored properly, that it’s encrypted and not stored in the clear.
Also look at the strength of the encryption algorithm and the encryption keys that are used. It’s one thing to say that your data is encrypted, but there are strong encryption algorithms and weak algorithms.
As hackers’ techniques and tools improve, it becomes easier to break through legacy algorithms. New algorithms are developed to stay ahead of the bad actors, and it’s critical to continue to review and update your encryption algorithms on a yearly basis. If you’ve been using the same algorithm for several years, the greater the chances are it’s outdated and weak.
Keep current on the industry trends, as well. Refer to industry resources that list encryption algorithms that are still considered acceptable, and which ones should be deprecated.
Should You Use the PCI DSS Framework?
The PCI DSS standard was originally developed to protect credit card data, but it also provides an excellent framework for any business that needs to protect and encrypt any kind of sensitive data. PCI is very detailed, giving you a clear set of requirements to ensure you’re adequately protected.
TCT frequently recommends that our clients become compliant with PCI DSS to use that standard as the framework for approach to security, even if they aren’t in the payment card industry. Clients should simply take the approach of leveraging PCI DSS with a scope of “Sensitive Data” rather than simply cardholder data. It provides a greater level of security and protection for their encrypted data, and it makes it simpler to become compliant under additional frameworks, since the line items readily map to secondary standards.
Make Data Encryption Simpler
Better security means more effort than simply checking the “encrypting your data” box, but you can make the work more manageable by using TCT Portal. Our compliance management system simplifies and streamlines the work of compliance management. With TCT Portal, following and validating data encryption requirements becomes a bite-size activity.