Stimulus Tech Talk: Why Businesses Should Use Encryption
Encryption is a big part of keeping important business data, records, and client information secure. Any information that would cause disruption and issues for a business if it got out to the public should be encrypted. Whether being transmitted, such as an email, or stored, data should not be accessible to hackers.
What is encryption?
In short, encryption is using technology to lock down data so it can only be accessed by those who have authority to view it. Typically a code, passphrase, key, or combination of those things is needed to be able access the data.
What kinds of data should be encrypted?
As noted above, any information that shouldn't be common knowledge to the public should be encrypted. This includes:
- Credit card numbers
- Social Security numbers
- Medical records
- Addresses
- Customer and Employee birth dates
- Proprietary information
- Customer lists
Are businesses required by law to encrypt information
In most cases, businesses are required to encrypt any private information of customers and employees. Specific regulations will vary by state regulations and business type. Businesses who fail to comply with regulations may face legal action and fines if private information is leaked to the public.
Stimulus Technologies helps our clients stay in compliance with regulations. If you are interested in help with privacy compliance, visit our Contact Us page to schedule a consult.
Stimulus Tech Talk: Why Businesses Should Use Encryption transcript
Intro 0:00
You're listening to stimulus Tech Talk, a conversation based podcast created by Stimulus Technologies that covers a range of topics related to business and technology.
Sherry Lipp 0:09
Welcome to a stimulus Tech Talk. I am Sherry Lipp, marketing manager here at stimulus technologies. And I am excited for our discussion today I'll be talking to our CEO Nathan Whittacre, about encryption. And I don't think I'm alone in feeling like I don't know a lot about encryption. So I'm looking forward to learning more .Welcome, Nathan,
Nathan Whittacre 0:28
Thanks Sherry. It's good to be here.
Sherry Lipp 0:30
To get started, let's talk about like why encryption is important for businesses to think about?
Nathan Whittacre 0:36
There's actually a lot to say about encryption, that's important. And so basically, encryption is taking data that you have, whether it's data that contains personally identifiable information or information that might be you know, risky to hold like, you know, are contains a lot of risk from a compliance purposes like credit card numbers, social security numbers, home addresses, birthdays, things like that, that, you know, if it got out into the public, it could cause your business or your employees or your customers issues. So what we want to do is, from an IT perspective, if you have to have that data stored is we want to have it stored in a manner or transmitted in a manner that a hacker couldn't access it either directly or indirectly. And so encryption is taking that data. And using certain sets of technology, whether it's a combination of some type of passphrase or code or key that you have to have to be able to access that data. And when we talk about data, it's we have to look at it what we call in the security world, either at rest or in transit. So at rest means it's just kind of like it sounds it's stored somewhere. And then in transit is when you're trying to communicate it with somebody else, we have to look at both sides of encryption when dealing with with data, especially person I personally identifiable information or you know, critical data for your business or your customers.
Sherry Lipp 2:07
Okay, so when I've thought about encryption, I've usually thought about encrypted emails. But so we're encrypting data that is actually been stored too?
Nathan Whittacre 2:14
Right. So encrypted emails would fall into that in transit category where you're communicating that data with somebody else. Stored is important because you know, we're living in a mobile society now. And you know, I have a laptop, most people have some type of mobile device. And if there's data that's PII, or under compliance, or whatever it may be, that that should be encrypted. Also, we're in whatever storage medium that it is.
Sherry Lipp 2:41
Is there data, then somebody you listed off quite a few things that are kind of on the more obvious side, as far as personal information and private information. Was there anything that people might not think of as needing to be encrypted?
Nathan Whittacre 2:53
I think anything that is important, from a business perspective, anything that's important to your your company, and if it got outside your organization, it could cause you harm. So maybe think about customer lists might be important. Maybe it doesn't have PII with it, but it is kind of your bread and butter for your business. So you know if that information got out potentially invoicing because hackers you know, want to use invoicing as a potential threat to your company to get access to your vendors,. Intellectual property inside your organization. So if you have like a secret sauce, or even you know, as far as patents go, or you know, procedures inside your company, those also should be encrypted just for the reason that if that information got outside the organization, it can do you harm. Just a quick story on that to think about is, you know, for example, I mentioned customer lists, let's say you and this is a story that I know about recently. So I'll share it directly, let's say for this organization that I know of had some employees that they didn't know, were disgruntled while they were working for them, they said to themselves, or took as they were planning on leaving customer lists invoices, the way that they were doing business with these customers. And then the employees left and started a competitive company against this organization. And, you know, they were bound under noncompete agreements. But in the end, the harm was done by having that information that was able to leave the organization and no way to delete that data post transmission. So, you know, think about any data that might compromise your organization could be encrypted. There's, you know, there's ways that's a little bit more difficult to stop it once it's left organization. But there's even ways to do that. You know, the other thing I think about is like passwords are really important to be encrypted inside our organization. You know, we have access to a lot of passwords, a lot of people is most managed service providers do an internal password to our system. And so if an employee leaves our organization, we have to identify, you know what passwords that employee had access to that all that data is encrypted. And then if they ever leave, we we go in and change those passwords and disable access to that encrypted system to the employees. So, you know, there's a lot of data inside your organization that you might not think about that is critical to the operations of the company, they should be encrypted.
Sherry Lipp 5:11
Are there, we talked about compliance in the last, you know, couple of podcasts, including one about compliance. Are there legal requirements for encryption?
Nathan Whittacre 5:20
There are a lot of legal requirements, both federally from you know, working with the like the federal government to the US. But ironically, Nevada, where our headquarters is, is one of the first states that passed a state rule requiring encryption for a person identifiable information via or that's being transmitted. Most states have now followed that along and that any data that has PII, and that could be you know, social security numbers, birth dates, even, you know, linking a name with an address, it needs to be encrypted, when transmitted, and then you know, at store, you know, storage at rest, you know, there's depending on what compliance you might be under, if you're a CPA firm, if you're HIPAA, you know, that data now needs to be encrypted at rest, and in transit. So there's a lot of federal regulations, depending on what type of company you are. But for all businesses, most states now have some type of encryption requirement that requires businesses to encrypt data when it's being transmitted. I think it affects all businesses, and it's just good hygiene, it's good practice to and it's hard, I get it, you know, I deal with this periodically, you know, I'm working with outside vendors or customers, even, you know, maybe attorney firms, things like that, and they want you to send data, you know, just send me an email with it with, you know, this credit app filled out and, and, you know, it includes, you know, bank account information, social security numbers, and I have to remind these vendors all the time that I'm not going to send that via email, because it's, you know, that's that's could be intercepted, and then information can get out. So it's important for all of us to be vigilant about that, especially with dealing with other companies, or you know, our customers or vendors. And if a customer, you know, it's not the fault of the business, if the customer starts it, you know, maybe send some information unencrypted. But certainly the business needs to take the responsibility to stop that communication unencrypted and go through a different method to get, you know, and make it easy as possible to get that information back and forth in the future.
Sherry Lipp 7:20
What repercussions might a business face if they're not using proper encryption?
Nathan Whittacre 7:25
So there's what's known as the Red Flags Rule, which kind of encompasses a lot of this, just use an example, let's say you have some PII that's stored on the laptop, you know, great example of this is a few years ago, there was a laptop stolen by the federal government that, you know, millions of social security numbers, I believe that were veterans were leaked, were lost, and they were stored unencrypted on this laptop. So there could be major suits that happened against the organization, you might as a company have to pay for credit monitoring of your customers, especially if you're dealing with residents, people, individuals, consumers, you could in some states impose fines. I know, for example, California itself on top of any federal fines was a HIPAA violation, the California puts a $10,000 per patient record fine for lost data. So let's say a hacker gets into your system is able to get access to patient records, those patient records, let's say you're a small single practitioner, but you might have 500, or 1000, patient records, if those get lost, it's per patient record. So that could be hundreds of thousands, or millions of dollars of fines that the state of California could impose on top of, you know, federal government impositions of fines. So you know, it's lost trust in your business, because you have to notify your customers, I'm sure we've all gotten the letters in the past day, we were part of a data breach, your information might have gotten out, you can sign up for credit monitoring, and then you think twice about doing business with that company again. And then, you know, obviously, the legal side of things that you might have to notify the regulators maybe pay fines associated with it if you're not doing the right things. So I mean, it just opens up a huge can of worms, both from a customer perspective and a regulatory perspective. So it's important to take these this really seriously because it does come with a huge cost, if not done properly.
Sherry Lipp 9:22
And are there ways and somebody's like, kind of, I guess I might be thinking more of the in transit that an employee can circumvent encrypting data, you know, to avoid having to take those steps to do it?
Nathan Whittacre 9:35
Well, you can always, you know, through email systems, you can always enforce encryption, there's ways to do that it's a little bit more difficult. And this is a little bit different conversation, but you know, identifying and segregating your data so that not everybody has access to the data. It also is employee training, because a lot of I mean, 99% of the time, it's just employees not not being trained. are the systems too difficult to follow. So, you know, proper employee training to make sure that they understand their responsibility of, you know, only sending encrypted data, if there's confidential information and making sure they receive it, but making the systems as easy as possible. So for example, and in our system with email that we supply to our customers, there's a little button that says encrypt your email. So it's as quick it's as easy as just clicking a button saying, I need to send this email encrypted and it encrypts it, and the user on the other side has an easy way to get access to it. So making it as simple as possible, you know, when dealing with vendors and things, ask them if they have a portal to upload data. And again, just ensuring that's occurring. One thing I mentioned that at rest, I think it's important, I mentioned laptops a few times, but there's an easy way built into Microsoft Windows, that you can do a full drive encryption on all you know, all devices, and it requires you to have a business computer, which I recommend to all our clients have, you know, a professional computer not and a professional version of Windows two. So, you know, if you go down to your local, you know, consumer store and buy a machine, it's usually coming with a Home Edition. So it has to be a business edition or professional edition of Windows and actual business computer. And you could do a full drive encryption for free, it's built into the machine itself. And that protects you from that, that stolen laptop scenario. One thing, you know, talking to companies periodically is they say, Well, you know, all that data is in our CRM or in our accounting system, but you know, you get onto their, the individual users computers, and you realize that they're, you know, exporting Excel documents, printing, you know, doing print to PDF, and, and those are all stored in temporary folders, or maybe the document folders on the machine. And once you do a scan, you realize there's actually a ton of PII that's been stored on that computer that's been exported out as outside of those systems. So it's really important to either, you know, have the employees wipe that and make sure that drive is fully encrypted, because you can't 100% trust employees are going to be clean on their data free option, get the full drive encryption, it's also available on Mac too on their pro version. So I recommend that everybody has has full drive encryption, it's an easy insurance policy.
Sherry Lipp 12:20
So if a business is new, or hasn't done it, or has come into data that they didn't need to encrypt before, but now they know new data, what steps should they take to begin this process because of something they can do on their own, or should they work with a professional?
Nathan Whittacre 12:35
I think the first thing is, is working with a professional that can do an audit of the system, some type of network scan, or computer device scan to identify where that data is at. Because a lot of times if they if they're not familiar with this, and they need to implement it, they might not know where all their data is at. So working with a professional that can do these scans looking for PII on this system helps them identify it, you know, doing full Drive Encryption is pretty simple, it might be a little bit more complex, if you if you're always interacting with clients, let's say you're a CPA firm, you know, it might be a little bit more complicated setting up like a online portal or some way for the for your customers to get access to or to send you data because that's that's usually where the issue is, is a customer or client sent you data that shouldn't be encrypted, and then make it easy for them. So you know, we don't accept any data except through our portal, and that you might have this need to have a security professional help you set that up for an IT professional. So I do think this is an important enough topic that or issue that having professionals help you with this is really important.
Sherry Lipp 13:40
Are there any common methods for encryption? Or is it tailored to an individual's business or an individual business?
Nathan Whittacre 13:46
Well, there's certainly like I mentioned, the full Drive Encryption is built into both Windows and Mac. So that's a common method, you know, email systems, there's, there's a ton out there that allow for that ease of encryption, some of them are built into Microsoft 365. So you can have your IT people enable that as an option. We like using the third party because it's usually a little bit simpler than the 365 built in systems where there's and then the online portals, there's quite a few out there that are available. One thing to note is a lot of the online systems like Dropbox or OneDrive, or box.com, those systems don't default have encryption built into them. So you need to make sure that you're using the professional version or the enterprise version that would have built in encryption. So choosing those online storage systems ShareFile, Dropbox, SharePoint, all those will require you to make sure that you have encryption enabled or buying their product that has encryption when storing data in there at rest. So that's one thing I'd recommend looking into. You know, it is it is a complicated topic. Some of it's pretty easy to do. Some of it is actually takes a little bit more thought and time to set up.
Sherry Lipp 15:01
All right well thanks so much Nathan this was very useful information I learned a lot so thank you.
Nathan Whittacre 15:06
As always thank you Sherry Have a great day everybody
