GDPR and Encryption
The GDPR requires that you take appropriate technical measures to protect personal data, taking into account the size and nature of your organisation and the data which is held, whilst also ensuring the integrity and availability of any personal data stored.
Where encryption requires little enough effort with low or no cost, then it must be considered as a viable option to implement, so long as it does not impede on your regular business activity.
Following the ICO guidance to align your organisation with Cyber Essentials, it is a requirement that certain devices be encrypted. The ICO currently have guidance on encryption relating to the 1998 DPA, but they are currently working to update this for GDPR.
The following guide gives a basic outline of the distinct types of encryption to help reduce the confusion.
What is Encryption?
In its simplest form, encryption is the converting of data to some unreadable form with the hope to be later decrypted by an authorised party. This helps in protecting the privacy and security of data while sending from one place to another, or for authorised access only whilst stored.
The concept of encryption and decryption requires some extra information for encrypting and decrypting the data. This information is known as a key. There may be cases when the same key can be used for both encryption and decryption while in certain cases, encryption and decryption may require different keys.
Stored Data Encryption
Even though you (should) have a complex password to gain access to your system to access any data in the first place, this does not stop any unauthorised access to your data should your system become compromised, lost or stolen. Even with a workstation password, any data stored locally can be easily retrieved if the hard drive is removed and accessed elsewhere. To render this data inaccessible you need to encrypt the drive in the machine it is stored on.
Certain versions of Windows 7 and most versions of Windows 10 include a system called ‘Microsoft BitLocker’ this is a simple to use application which encrypts the entire disk to be accessible by that machine only, or by use of the unique key. New machines might have a physical chip inside (TPM Module) allowing the hard drive to become ‘locked’ to that computer only and inaccessible anywhere else and not requiring the user to enter a password every time it’s switched on. Older machines may require you to enter a password each time, thus allowing the data to be decrypted and accessed. Either way, BitLocker will give you a long, unique code to keep safe in the event decryption is required.
The same system is in use on most modern smartphones and tablets which is why they may ask you to enter a PIN each time the device has been restarted, check with your manufacturer for details on any actions that need to be taken to enable this. As a Systems Administrator this can be enabled centrally and enforced if you allow mobile access to email, as well as control policies for BitLocker.
For removable drives (USB Sticks, Thumbdrives, External Drives etc.) it is advisable to seek a new device which is hardware encrypted (Comes with preloaded software and hardware). These may be slighter higher in cost but much more reliable and their usage can be enforced within a network by your IT administrator. One low cost and reliable version of a USB drive would be: Kingston DataTraveller or WD 1TB External Drive but there are plenty of options available out there.
‘BitLocker To Go’ can be used to encrypt USB drives, but where that isn’t available, third-party free software can be found to encrypt local or removeable drives which do not originally have capability (eg. DiskCryptor) although not as robust or reliable as built-in applications, and have the potential to render your device inaccessible.
For individual documents, zip files etc. you can very simply set up encryption to protect the file with a password using the applications own settings. This would increase security of that file, just remember not to send any passwords via email to the recipient as this would diminish the point. It would be best to telephone or text the recipient with any encryption passwords.
The same thinking should apply to backups of internal systems as these will hold a copy of the same personal data you may use live, the backup file is just as at risk of loss or damage by malicious code and should be password protected, this will be down to the software that you may use, but most should accommodate this.
Connection and WiFi Encryption
Using WiFi within the workplace is convenient but does pose some security risks. Ensure that your WiFi is setup to use a method of security to allow only your users to gain access and other measures to restrict the possibility of anyone else getting on without credentials, and be aware of the risks of using public hotspots.
- Ensure that you have changed any default WiFi passwords to a new unique passphrase.
- Change the default wireless name (SSID) as this can give away the manufacturer unintentionally
- If possible, hide the SSID. Make it that no-one can see the name of your network when searching for a connection.
- Enable encryption (eg. WPA2-PSK (AES) )
- Ensure your computer has it’s own, updated firewall as well as a hardware, external facing firewall on your network.
- Use a VPN. If you connect to a public WiFi connection, either by a reputable pubic service VPN, or your own corporate VPN, this secures any data transmitted over a public network meaning that it cannot be easily accessed by anyone else on that WiFi network.
- Keep Wireless devices, firewalls and computers up to date with any firmware and/or operating system updates.
- For advanced users – Filter on MAC addresses. This will allow only specified hardware devices to access the network.
Data Transmission Encryption
For regular web browsing, the key here is the ‘S’. Always look for the https:// in any website you visit. Without going into too much detail it standards for ‘Secure’ (http over secure sockets layer or transport layer security) This will ensure that any data you enter on a webpage displayed using https will be sent across that network encrypted and unable to be read by anyone monitoring or intercepting traffic. Never submit personal or payment details on a site which does not display as https or one which does, but displays a webpage warning you that the certificate may not be trusted prior to opening the site.
Online storage services (Dropbox, OneDrive, Google Drive etc.) are the best kind of storage solution you should consider using as these will be held securely, encrypted, easily shared and with access and auditing controls etc.
You may feel that having your data held in the ‘Cloud’ would be less secure but most of these services will be upheld to the highest and most stringent security standards known in the industry and I am pretty sure that your internal file server will not be anywhere as secure.
If you host a site or service for your own organisation, you may want to consider enabling access only via HTTPS and ensure you obtain a certificate from a reputable provider (The average cost of a basic wildcard certificate would be £70-90 per year).
Some major providers such as Google are claiming that by default all of their emails sent will be encrypted, but this holds true only if the recipient is also a Gmail user, they cannot guarantee any other recipient’s encryption.
For regular mail sending (Using Outlook or any other Exchange or Office365 mail sending system) the key to email encryption is that both the sender and the recipient both have access to the digital signature that is used to encrypt. This is a little more complex to get setup but it will be the only true method of encrypting any mail you send regularly. Microsoft have published a guide to assist with this. A free email certificate is available via Comodo for this purpose for a single user, but for a corporate environment there would be a cost to implement organisation-wide.
Microsoft Office 365 have introduced email encryption security on certain plans, this involves setting up policies within Azure Information Protection and optional installation of a small client app which integrates with Office. This gives users an easy to use option to set a sensitivity level of email and have certain restrictions put in place on that document or email, which can also be accomplished by use of Exchange email rules to encrypt an email based on a term in the subject. This is the cheapest and easiest method to implement but does have additional actions required for the recipient to verify their identity. Recipients will either have to register and login to Microsoft or use a one-time access code which would be sent to their email.