How to follow data encryption best practices

One stolen laptop amounted to an enterprise’s worst nightmare last summer – and it was a lesson all IT pros should keep in mind. A doctor at Houston-based MD Anderson Cancer Center lost a laptop in a home robbery – a laptop that included 30,000 plus highly sensitive patient records. The records reportedly were unencrypted, leading national media to put MD Anderson in the headlines so patients who’d been treated there knew that their personal records were at risk.

Terrible news for patients and the doctor to be sure, but IT in a case like this is left holding the bag. Don’t let the Bring Your Own Device (BYOD) trend and the boom of cloud services put your enterprise at risk. What you need are some best practices to put in place. Take a look at our suggestions below to make sure there aren’t any holes in your policy.

1. The first best practice is obvious but not easy. You need a thorough outline of your enterprise’s risk profile, required standards, data and hardware usage and goals. Don’t be afraid to be overly detailed about it. If there was ever a time to dot every i, it’s here.

Sure, you want to make sure you understand regulatory and compliance standards covering data privacy and where data resides, such as HIPAA, PCI and Gramm-Leach-Bliley (GLB). Make sure you find out how and to what degree your enterprise is required to meet these and other requirements – and when and whether it makes sense to go above and beyond them.

Do the tools you use comform to HIPAA and PCI regulatory and compliance standards? Take a long hard look at the issue.

And review your data centers, too. You might take a page from government agencies and contractors and go the longest mile. Government enterprises typically need to ensure that all data centers on which your enterprise relies are compliant with FIPS, aka Federal Information Processing Standard. This is basically a set of standards around data encryption that outlines and details four levels of security, each supporting higher levels of encryption, use of ciphers, key and signature protections. Take a look at it. Figure out what is the most and least you could do and determine exactly where you want and need your data and devices to be on that spectrum.

2. Hang on to the keys. Assuming you’re not going to do an MD Anderson and you carefully encrypt data that’s sensitive, handling encryption keys couldn’t be more important. Your enterprise absolutely needs a central, one-stop repository to hold and manage all keys. These should never handled by silos, individuals or employees. Data encryption keys and practices must be centralized – regardless of whether it is on company-owned or personal equipment used by employees at work.

3. As for what’s encrypted, decide what you’ll encrypt, what level you want to encrypt it at and encrypt all data before it goes into the cloud or onto any network, authorized or otherwise. Likely you don’t or won’t want to encrypt every single bit of data, but do some deep, out of the box thinking about what data needs to be encrypted that is outside of the obvious. Especially analyze the data your employees are taking in and out of the office via internal networks, external networks, email or into the cloud via SaaS systems or just Google docs and so forth. Hackers, competitors, thieves and other malevolents depend on slack policies in this regard. Head them off at the pass.

The simple, bottom line is to encrypt any data you care about before it goes into the cloud. Talk to department heads to see what data you might be missing that should be encrypted by IT with keys you centrally manage. Most enterprise applications now allow you to do this – and they let you keep the keys.

4. Never forget mobile, your single greatest data risk particularly as user-owned and company-issued tablets, smartphones and laptops proliferate and increasingly move around with users. The mobile revolution happened so much more quickly than most IT shops were able to deal with, as the MD Anderson debacle showed. Avoid that mistake by requiring full disk data encryption on every moving device – including USB drives. It’s better to be safe than to risk business, embarrassment or worse, customer trust. And again, it bears repeating, make sure IT centrally holds the keys and manages them carefully.

5. Educate coworkers, executives and users about the supreme importance of data encryption best practices, Requiring full disk data encryption is costly, but is it less costly than what could happen in the event of lost or stolen sensitive data – or data you didn’t even realize was being generated. Check out this TechPageOne piece and infographic on the True Cost of Full Data Encryption.

Gina Smith

Gina Smith

Editorial Director at
Gina Smith is the NYT best-selling author of Apple co-founder Steve Wozniak’s memoir, "iWOZ: How I Invented the Personal Computer and Had Fun Doing It." She is editorial director at Reach her at [email protected], Google + or @ginasmith888.
Gina Smith
Gina Smith
Tags: BYOD,IT Security,Technology