Many online blog posts surrounding encryption flaunt around hard-to-understand terms, images of a hacker backed with lines of irrelevant code, and scare tactics that turn you away from actually understanding the content. We’re going to take a much different approach in this post. I’ll discuss what encryption is, why it is important for your business, and where you can deploy it without drastically changing your current routines and setup, hopefully without losing you in technical jargon. Let’s begin, shall we?
What is encryption?
Cloudflare has a great definition of encryption that isn’t packed with technical terms: “Encryption is a way of scrambling data so that only authorized parties can understand the information. In technical terms, it is the process of converting human-readable plaintext to incomprehensible text, also known as ciphertext. In simpler terms, encryption takes readable data and alters it so that it appears random.” The analogy I used in my Crypto | Paper was that unencrypted vs encrypted data is like storing something inside a chain-link fence versus storing that item inside a safe. If we put a road sign inside a relatively secure chain-link fence compound, we’d say that the object (sign) we are storing is pretty safe. However, we can still walk around that fence and see a road sign inside the fence. If we store that sign inside a safe, we’d also likely say that this sign is secure–arguably a bit more secure depending on the safe. The difference is that we can’t walk around that safe and see that there is a sign stored inside of it. This is the basic concept of encryption.
Here are some great videos that explain encryption with more of a visual approach:
Why is encryption important for your small business?
For many small businesses, encryption isn’t a topic you have likely thought a lot about. When most of us think about encryption, we might recall the hacker scenes in Hollywood films (which are rarely depicted correctly, by the way) or hard-to-use setups involving multiple passwords, programs, and hours of learning. So it might surprise you to know that encryption is becoming standard with so much of our digital world that it’s not all that difficult to deploy. Let’s take a closer look at why small businesses should take the topic of encryption more seriously.
Encryption keeps your customer’s browsing habits private over the Internet.
In my blog post titled “6 Email Security Tips For Small Businesses in 2021“, I discussed how phishing attacks could compromise your employees’ accounts and identity. One way this might happen is by someone sending you a fake page that pretends to be legitimate. This could also happen if your company website is not properly secured using encryption in the browser. Say you run a retail shop online and allow customers to log in to manage their accounts. If the connection between your website and their device is not encrypted, anyone with some technical capabilities on their same WiFi network can intercept their username and password when they log in. Or say you are a law firm and people visit your site to gain general legal information or request services from your team. If your website doesn’t employ encryption, anyone on your visitors’ same network can see exactly how they are engaging with your site, what they are viewing, messages they send through contact forms, etc. This could be especially damaging for individuals in domestic abuse situations looking to get help.
When we deploy encryption on our websites and across our services, largely through what is known as SSL and TLS in the browser (the HTTPS/lock symbol you see beside the URL), we are ensuring that the connection between our website and our visitors is private. With the proper deployment of HTTPS, outsiders cannot easily eavesdrop on their connection and see how they engage with our site.
Encryption keeps customer information secure.
Anytime we store customer information, no matter what type of information, we should be thinking about how that information is stored, where it is stored, who has access to it, and how it could potentially be exposed in a breach. We’ve learned again, and again, and again that the Internet is full of individuals looking to engage maliciously with your business to steal sensitive information. Data breaches are an underestimated cost for small businesses and can be crippling for both your day-to-day operations and your reputation. Properly securing customer and company information with encryption (both in transit and at rest) is essential for ensuring your small business isn’t turned on its back in an attack.
On websites, passwords are typically hashed to keep them from being exposed in plaintext if that website is breached (hacked).
On an iPhone, a lot of data on the device is protected by default with encryption.
Most card readers will use point-to-point encryption during financial transactions to safeguard your card information.
How do I deploy best-practice encryption for my small business?
There’s a fairly big misconception that deploying encryption with your small business is difficult and time-consuming when it really doesn’t have to be. I’m going to break down how you can use encryption by familiarizing yourself with tools and services that are already available and widely used. This will not be an extensive list, nor will it come in-depth specifics about each point discussed, but it should give you a primer into some of the steps you can take to m0ve your business towards taking a more encryption-focussed stance.
SSL/TLS (HTTPS) on your website.
As mentioned previously, encrypting the traffic between a customer and your website is a great first step to ensuring you deploy strong encryption practices. Many content management systems will offer this as an option when you are setting up your website. If you’ve contracted this work out to a designer, developer, or media agency, then it’s likely already done. A quick way to check is to visit your website and see if there’s a little lock icon in the browser beside the URL. You should see https:// before the URL as well (note the s). You should also check to make sure your website is forcing an encrypted connection. Meaning that it isn’t accessible in plaintext at all. You can do this in a couple of different ways.
- Try and visit your site over an insecure connection by typing HTTP://yourdomainhere or www.yourdomainhere
- Input your domain/URL into WhyNoPadLock
If your site does not use SSL/TLS and you now realize that it should, you can get in touch with me below, and I can help you set that up. If you run an SSL Server Test on this site, you’ll see that I receive an A+ rating and deploy strong security headers, so your connection with my website/server is private and outsiders trying to snoop on your habits can’t see what you’re doing while you are here.
Consider encrypting your computers, drives, and phones.
Encrypting your data at rest is one of the best methods you can take to ensure sensitive information isn’t placed in the wrong hands if those devices get stolen. Many operating systems have these features built-in, and you should turn this feature (also known as full-disk encryption) on. If your company uses Apple devices, then you’ll have access to FileVault on their Mac lineup and Data Protection on all devices running iOS. Data Protection is enabled by default when you set a passcode on an iOS device (I recommend a passcode of 12 or more characters, but 6 is the default and is relatively secure for most people). FileVault needs to be enabled on all Mac devices but can be done easily using the tutorial linked above. On Windows devices using Windows Professional, Education, or Enterprise (it doesn’t come with Windows 10 Home Edition), the default device encryption is BitLocker. Note that with both Bitlocker and FileVault, you can encrypt external hard drives, USBs, and backup media, but they won’t be cross-compatible with other operating systems.
Some tips for securing your data with full-disk encryption:
- The encryption is only as strong as your password. If you use a password written on a sticky note or one that is insufficient in length/complexity, it could easily be cracked. ProtonMail recommends around 20 characters, while Bitwarden and others recommend using a passphrase. My recommendation would be somewhere between 15 and 20 characters to start out and then increase the length and complexity with time. The more sensitive the information you are storing (think: legal documents, financial files, etc.), the stronger you should be making these passwords.
- Store the Recovery Key it gives you in a safe place. My recommendation would be to keep it somewhere away from the office or inside a safe and then keep a master backup of all your recovery keys in your safety deposit box. Due to the way encryption works, this recovery key is the only way you’ll be able to retrieve your data if you forget your password for your computer so you need to keep it safe.
- Ensure that all devices are powered down at the end of the night to ensure data is fully encrypted and safe when you leave work.
- Ensure that all media you are backing up to is encrypted as well. It makes no sense to encrypt all your computers but then backup to an unencrypted drive sitting on your desk.
Don’t send sensitive information insecurely.
This is a big one that I see all the time. A business needs to get a file to a client but said file includes sensitive information. Some businesses email the file. Others password protect the PDF (sort of secure file encryption) using that individual’s phone number. Some might send it via traditional mail to their PO box. This is where secure forms of communication come into play. I’ve yet to have a small business send me a sensitive document over an end-to-end encrypted communications channel, and that to me is a bit crazy considering the year 2021. For starters, I mentioned in my blog post on email security that I use ProtonMail. This allows me to send encrypted emails to outside recipients who do not also use my end-to-end encrypted email service (I discuss this more below). However, I have also deployed a secure text/file sharing service on my server that allows me to share sensitive information relatively securely with clients I am working with and used other instances of this service before deploying my own. I also use and recommend Signal Private Messenger as a means of both general, day-to-day communication and a means of communicating sensitive information and files. I try not to ever send files containing personal or business information over plaintext. What we are looking for when communicating personal or sensitive data is to ensure that either:
- The service we are using is end-to-end encryption (easier to deploy)
- We are encrypting the document before sending it (more difficult to deploy and could be less secure)
There are also some services like ProtonDrive and Tresorit that act as cloud storage services and can send encrypted download links of files to other individuals. Bitwarden also has this feature embedded in their password manager, making it great for individuals who took the advice in my last blog post and started this password manager to store their accounts and passwords.
Consider switching your email provider.
If you are a small business that frequently deals with sensitive customer information, you should consider switching to ProtonMail and using their Business Plan. This will give your small business the benefit of encrypted email and the ability to transmit files to your client base securely. For 10 users, ProtonMail’s Business Plan is only $15 a month more than Google Workplace but affords much more security. Google Mail still has far more features and customizability for organizations, and ProtonMail does not yet have Desktop Apps, so this move isn’t one I recommend very often. However, it could be a great leap towards company/customer security for certain small businesses. I have been using ProtonMail since 2015 and don’t find it to be a burden on my productivity at all. I’ll continue to be a long-time supporter of their company for years to come, I’m sure.
Conclusion: Encryption matters.
Encryption is a big asset for small businesses and can help protect both their company and their clients/customers. Although likely a big change from current routines, small businesses should assess how they use (or don’t use) encryption and how they can adapt those processes. Take things slow and read some of the attached resources I’ve linked above; encryption can give your small business that boost in security that thwarts massive leaks or exposure of sensitive data. And if you’ve read this blog post, know you need to heed my advice, but have no clue where to start, I’ll gladly offer you some individualized support. You can use the contact form below this post to get in touch with me or send an email to firstname.lastname@example.org.
Good luck and take care,