We’ve recently talked about some of the main reasons why you need to encrypt your data. And we showed you the potential consequences when your data isn’t encrypted.
So now that you’re ready to look more closely at encryption in your organization, where should you begin?
Every organization is different, so there is no one-size-fits-all data protection strategy. Before you can put your strategy into an actionable plan, you need to answer the following four questions.
1. How does data flow into and out of your organization?
Do you receive emails with file attachments, or send them out? Do you receive data on USB sticks or other removable media? How does your organization store and share large amounts of data internally and externally? Do you use cloud based storage services like Dropbox, Box, OneDrive, etc.?
What about mobile devices and tablets? According to a Sophos survey, the average technology user carries three devices. How do you rein in the wide range of devices that have access to enterprise data?
You should look for an encryption solution that is built to adapt to the way you use data and how data flows within an organization.
Use case example: With more and more businesses using cloud storage, you need a solution that secures cloud-based data sharing and provides you with custody of your encryption keys.
2. How does your organization and your people make use of data?
What are your employees’ workflows, and how do they go about making their day-to-day jobs more productive? What tools, devices or apps do they use and do any of those present a possible vector for data loss?
You need to understand how employees use third-party apps, and whether you should prohibit what is often called “shadow IT,” if you can trust the security of those systems, or bring development of these tools in house.
3. Who has access to your data?
This topic can be both an ethical and regulatory discussion. In some situations, users should not ethically have access to certain data (e.g., HR and payroll data).
Worldwide, there are some data protection laws that stipulate only those who need data to perform their tasks should have access to it; everyone else should be denied. Do your employees have access to just the data they need to do their job, or do they have access to data they do not need?
Use case example: IT administrators tend to have unlimited access to data and IT infrastructure. Does the IT administrator need access to everyone’s HR data, or access to the legal department’s documents about the latest court case? In a public company, should people outside of the finance department have access to the latest financial figures?
4. Where is your data?
Centralized and mostly contained in a data center? Completely hosted in the cloud? Sitting on employee laptops and mobile devices?
According to a Tech Pro Research survey, 74% of organizations are either allowing or planning to allow their employees to bring their devices to their office for business use (BYOD). Employees are carrying sensitive corporate data on their devices when they work from home and on the road, increasing the risk of data leaks or compliance breaches. Think how easy it would be to access confidential information about your organization if an employee’s smartphone gets stolen or misplaced.
Challenges and solutions
According to the 2015 Global Encryption & Key Management Trends Study by the Ponemon Institute, IT managers identify the following as the biggest challenges to planning and executing a data encryption strategy:
- 56% – discovering where sensitive data resides in the organization
- 34% – classifying which data to encrypt
- 15% – training users on how to use encryption
Unfortunately, there is no one-size-fits-all solution to these challenges. Your data protection plan must be based on your business: the type of data your business works with and generates, local/industry regulations, and the size of your business.
Employees need to understand how to comply with a clearly defined data protection plan and how to use encryption. They must be clearly told which data they have access to, how this data needs to be accessed and how they can protect this data.
Most importantly, you need to ensure that you can both offer and manage encryption in such a way that it doesn’t impact the organization’s workflows.
To learn how Sophos SafeGuard Encryption helps you address these challenges, check out our blog post about things to consider when choosing the right encryption solution. And download our free whitepaper, Deciphering the Code: A Simple Guide to Encryption.
You can read the original article, here.