A Small Business Guide to Computer Encryption

Why is encryption important?

The purpose of file and disk encryption is to protect data stored on a computer or network storage system. All organizations that collect personally identifiable information (PII) like names, birthdates, Social Security numbers and financial information must secure that data. An organization can be sued if a computer containing PII is stolen and the information is leaked or shared.

Why should businesses use encryption?

If a laptop is lost or stolen and the files or disk aren’t encrypted, the thief can easily access the information, so it’s a good practice to encrypt your sensitive data, if not your entire hard drive. The thief doesn’t even need to know the password to access the files; it’s easy to boot a computer from a USB thumb drive and then access the disks within the computer.

Disk encryption doesn’t protect a computer entirely. A hacker can still access the computer over an insecure network connection, or a user can click a malicious link in an email and infect the computer with malware that steals usernames and passwords. Those types of attacks require additional security controls, like anti-malware software, firewalls and awareness training. However, encrypting a computer’s files or the entire disk greatly reduces the risk of data theft. [Read related article: Is Your Antivirus Software Really Protecting Your Business?]

Encryption 101: How does it work?

Encryption is a digital form of cryptography, which uses mathematical algorithms to scramble messages, leaving only individuals who possess the sender’s cipher or key able to decode the message.

There are two main methods of encryption: symmetric encryption, which involves securing data with a single private key, and asymmetric encryption, which uses a combination of multiple keys that are both public and private.

The most common form of symmetric encryption is Advanced Encryption Standard (AES), which is the U.S. government standard for encryption. Data in hexadecimal form is scrambled multiple times and utilizes 128-bit, 192-bit, or 256-bit keys to unlock, the last being the strongest. Keys can be substituted with passwords that we create, making the password the only direct way to decrypt the data.

This method is best for encrypting files and drives. The only weak spot is the password itself, which hackers may break if it’s weak. They’re unlikely to strong-arm their way into the data through encryption. Though 128-bit AES is a strong encryption key, most government regulations require the stronger 256-bit AES to meet certain standards.

Asymmetric encryption is used for sending secured messages and other data between two individuals. On messaging platforms, such as most email services, all users have a public key and a private key.

The public key acts as a type of address and method for the sender to encrypt their message. That message is further encrypted with the sender’s private key. The receiver can then use the sender’s public key to verify the message sender and then decrypt the message with their own private key. A hacker who intercepts the message will be unable to view its contents without the receiver’s private key.

Types of computer encryption

• Individual file and folder encryption: This method encrypts only the specific items that you tell it to. It is acceptable if relatively few business documents are stored on a computer, and it’s better than no encryption at all.
• Volume encryption: This method creates a container of sorts that’s fully encrypted. All files and folders created in or saved to that container are encrypted.
• Full-disk or whole-disk encryption: This is the most complete form of computer encryption. It’s transparent to users and doesn’t require them to save files to a special place on the disk. All files, folders and volumes are encrypted. You must provide an encryption passcode or have the computer read an encryption key (a random string of letters and numbers) from a USB device when powering on your computer. This action unlocks the files so you can use them normally.

How small businesses can easily encrypt data

The language of data encryption may make it seem impossible, but plenty of simple business encryption solutions exist. For starters, most computers come with built-in encryption programs, though you may have to manually enable some. You can also install several third-party encryption programs for full-disk protection. Plenty of business anti-malware programs include encryption software, and some vendors sell stand-alone encryption tools too.

Built-in encryption programs

Strong encryption is built into modern versions of the Windows and OS X operating systems, and it’s available for some Linux distributions as well.

Microsoft BitLocker is a disk encryption tool available on Windows 7, Windows 8.1 and Windows 10. It’s designed to work with a Trusted Platform Module chip in your computer, which stores your disk encryption key. It’s possible to enable BitLocker even without the chip, but a few settings must be configured within the operating system, which requires administrative privileges.

To enable BitLocker, open Windows Explorer or File Explorer and right-click on Drive C. If your version of Windows supports BitLocker, the menu will display a “Turn on BitLocker” option, which you can click to enable the program.

When you enable BitLocker, Microsoft prompts you to save a copy of your recovery key. This is an important step because you need the recovery key to unlock your disk. Without the key, neither you nor anyone else cannot access the data. You can print the key or save it to your Microsoft account or a file. BitLocker also lets you require a personal identification number (PIN) at startup.

Apple FileVault provides encryption for computers running Mac OS X. When enabling encryption, FileVault prompts you to store the disk encryption recovery key in your iCloud account, but you can choose to write it down instead.

For Linux, you typically encrypt the disk during installation of the operating system, using a tool such as dm-crypt. However, third-party tools are also available for post-installation encryption.

Third-party encryption programs

TrueCrypt used to be one of the most popular open-source disk encryption software programs, but its developers stopped maintaining it in 2014. Security experts are still torn on whether it’s safe to use. To be on the safe side, stick with a product that’s regularly tested and updated. These are a few open-source products that are well regarded:

• VeraCrypt is free software that runs on Windows, Mac OS X and Linux. It frequently gets the highest ratings from users and third-party testers.
• AxCrypt is an easy-to-use encryption program with free and premium versions. It has a password manager and collaboration feature for sharing encrypted data with others.
• Gpg4win uses military-grade security to encrypt and digitally sign files and emails.

Many anti-malware vendors – such as Symantec, Kaspersky, Sophos and ESET – include encryption in their security suites or sell it as a stand-alone product.

USB drives should also be encrypted because when you copy files from an encrypted disk to a USB drive, the files can be automatically decrypted.

“It’s important to educate employees that once they send a file via email or copy it to a USB thumb drive, that data is no longer protected by that encryption,” said Joe Siegrist, vice president and general manager of LogMeIn’s LastPass password management software.

To ensure files on a USB device are encrypted, use software like Microsoft BitLocker To Go or open-source software, or purchase USB drives with built-in encryption, such as those from IronKey, SanDisk and Kanguru.

How much does encrypting data cost?

According to the Ponemon Institute, the average cost of full-disk computer data encryption is $235. This is quite affordable, given that data breaches can cost several orders of magnitude more to correct. Of course, encryption will prove more costly if you lose your key and thus your access, so always keep track of your key.

Best practices for computer encryption

Before enabling encryption on your computer, back up your data files and create an image backup, which is a replica of all the contents of your disk. You should also ensure that you have the operating system’s installation media and create an emergency boot disk on removable media.

Going forward, back up your computer regularly. An encrypted disk that crashes or becomes corrupt can result in files being lost forever. If you have a current backup, you can be up and running fairly quickly.

When creating a passcode or PIN, use random numbers and letters, and memorize it. The longer and more complex it is, the better, but not so complex that you can’t remember it. Consider putting two phrases together, like short verses from two songs you like. Use only the first letter of each word, and substitute some characters, such as a zero for an O and a 3 or pound sign (#) for an E. Use mixed capitalization as well. For more tips on this subject, see our article on how to create a strong password.

Keep a written copy of your PIN or passcode and your encryption key (if separate) in a safe place, in case you forget them. If you enable full-disk encryption and forget your passcode, you won’t be able to access your computer, and neither can anyone else, including IT personnel and even data recovery services, Siegrist said.

If you use Wi-Fi, use Wi-Fi Protected Access 3 (WPA3), which is a form of encryption for protecting wireless connections. Don’t use Wired Equivalent Privacy (WEP), which isn’t safe under any circumstances. Even WPA2 was cracked in 2017, making it less safe than WPA3.

Finally, install a virtual private network (VPN) to access the office network from a laptop or other mobile device when working remotely. A VPN creates a secure tunnel over the internet, encrypting all data that you send and receive during that session.

Remember, computer encryption is only one part of a complete security plan for protecting computers and confidential data. It’s a necessary security control for organizations that handle confidential data, and it should be enabled on any device that could fall into the wrong hands. Visit our small business cybersecurity guide for more tips and advice.

Kim Lindros and Max Freedman contributed to the writing and reporting in this article. Source interviews were conducted for a previous version of this article.