Virtual Graffiti, Inc - Your Source for Technology Solutions

VG Tuesday Tips: Evaluating encryption for your SMB: 6 essential questions to ask

Follow us for your more blog posts today!


Has your small or medium-sized business considered compliance with GDPR regulations? If you have a web presence that reaches into Europe and serve customers there, you are very likely required to comply. In effect since May 2018, GDPR makes it the legal responsibility of business owners/operators to secure customer and employee personal data. The requirement is driving small and medium businesses to implement data protection technologies—most notably encryption.

The vast selection of encryption products makes it challenging for SMB decision makers to find the right fit for their needs. As a result, many companies have tried and failed to successfully deploy an encryption product. If you are facing this decision, either for the first time, or during a second round because of the failed adoption of an already-selected solution, here are the six questions to ask to ensure you identify the right solution.

  1. How well does the solution serve remote users?
  2. It might seem obvious, but systems are more liable to theft when away from the office. Keep this top of mind as you research and settle on a solution. Look at problem scenarios for remote users, and test how effectively the solution can address them. Those that pass this test can be on your shortlist.

  3. Can your IT department easily control off-site endpoint encryption?
  4. Major endpoint encryption products can remotely manage systems, but may require specialized IT skills. Most need either an open incoming connection to a demilitarized zone (DMZ) on your server, or a VPN connection. These requirements may also mean the user has to initiate the connection, which means IT won’t be able to respond to a rogue employee or stolen laptop. Look for remote management capability that doesn’t require specialized knowledge or the added expense of higher-level administration skills.

  5. Do you have the flexibility to enforce effective policies?
  6. The ability to rapidly alter security policies, encryption keys, features and remote operation of the solution allows you to enforce a default policy that is both strong and tight. You can make exceptions only when and where needed, and roll them back just as easily. If you can’t do this, you’ll be forced to leave ‘a key under the doormat’, just in case — tearing holes in your security policy.

  7. Does it support remote locking and wiping of keys?
  8. This could become crucial if a company laptop with full-disk encryption gets stolen under common conditions: while in sleep mode, with the operating system booted up, or if the pre-boot password is on a label or tucked in the laptop bag. These scenarios can leave the encrypted data wide open for the taking. Look at situations such as these. Has the solution been designed for events that could otherwise unravel a well-designed security policy?

  9. Can the solution secure removable media without whitelisting every item?
  10. With so many different types of writeable devices used for everyday work, it is nearly impossible for admins to whitelist them all, or decide whether it’s permissible to read or write to them on an individual-device basis. Instead, it is much easier to set a file-level policy that distinguishes between files that need encryption and those that don’t. The selected files will be protected every time they move from a workstation on the corporate network to any portable device. An employee who connects a personal USB won’t be forced to encrypt personal data. Anything coming from the corporate network will be encrypted without requiring the keys to be on the removable device. Such a solution makes any device safe without the need for whitelisting.

  11. Is it easily deployed?
  12. If setting up the solution takes hours or days and needs additional tools for operation, it will lead to headaches for system admins and create new security risks. Target an easy-to-deploy solution that doesn’t require advanced IT expertise and the associated costs. And look for a user experience that means IT staff won’t be taxed by user lockouts, lost data and other frustrations.

    In conclusion…

    Validated, commercial encryption products have been proven strong enough to protect data. However, a significant number of data breaches involved lost or stolen laptops and USB drives with encryption in place. Be sure you can fit the solution to your environment in a way that supports everyday working practices and delivers ease of use. These are the keys to an effective solution that actually protects your sensitive data.

    Original Post from ESET