Encryption is not a sexy topic. But if you’re running a business and use software to store your employee or customer information, you need to have some awareness and understanding of encryption. Why? Because you’re responsible for keeping their information safe. And if you don’t know anything about encryption, that information could genuinely be at risk of getting into the wrong hands. So, in as few words as possible, we’re going to help you understand encryption – read on.
Let’s say you’re using some software that doesn’t use encryption to store your HR info. This contains details of medical conditions for your staff members, along with their home address, full name and date of birth. If you look at that information and it’s not encrypted while in transit*, someone could steal that info without you even knowing. Just looking at information on a screen or digital device is enough to make it vulnerable – you don’t even need to do anything to the information for it to be at risk.
It’s also possible for a clever hacker to change the info while it’s in transit (for example they could alter someone’s salary info). Not a nice situation to have on your hands, agreed?
*In transit simply means it’s travelling through the internet. All cloud based info is in transit while you’re viewing it – the info is being downloaded/transmitted from the server to your device.
You’ve got a moral duty to protect your customers info
Regardless of what the regulations are, any good business owner should feel morally responsible for their customers’ data. With any business transaction there is a level of trust, and whatever information your customers have given you, they have trusted you to be responsible and not abuse or share that information.
Personal information is often provided in order for a sales transaction to be processed, and you’re responsible for looking after that info. Would you buy from a company that allowed 3rd parties to access your personal info without your consent?
You’re legally required to encrypt sensitive customer info due to GDPR
If you’re a business owner in the UK or Europe, you’ll know all about GDPR by now – unless you’ve been living under a rock. Although they may seem a nuisance, these regulations are designed to protect people like you and me. Encrypting sensitive data means that you’re protecting your customers’ and employees’ data and that’s not a bad thing, at all.
Even if you’re doing business outside of Europe and feel like you can avoid the GDPR requirements, there are various international laws around too. Law or no law, why would you avoid protecting sensitive information and putting your business at risk?
Your competitors could steal your sensitive info
If you don’t encrypt your information then you’re at risk of your competitors being able to steal it. The blame wouldn’t be entirely on them if this happened – you are responsible for the sensitive data that your business processes. Customer data these days is extremely valuable, so why would you allow your competitors to have access to it?
How can you tell if your software is encrypted?
If you’re using software that has been developed for you, there are 3 vital questions to ask your software developer:
- Is the data encrypted at rest (i.e. in a database), using a strong encryption algorithm such as AES-256?
- Are they encrypting data whilst it’s in transit (i.e being downloaded), using technology such as SSL?
- Are they using one-way encryption (also known as a hashing algorithm) for passwords?
What is one-way encryption? Sounds complicated…
When you create an account in a website you have to create a password. You don’t want anyone to see that password. Let’s say you created a password on a site, and someone stole the database from that site. It’s completely nothing to do with you. But that person now has your password. You’ve probably used it before on another site – after all, who has time to create unique passwords for every single website? But that person now has access to all the other sites you used that password on.
One-way encryption allows you to log-in to a website, using and verifying your password, without actually storing it. The data is converted into a code (known as a hash), which prevents it from being interpreted.
Less experienced developers will often store passwords as plain text, leaving the data wide open to hackers. It’s quite simple for a software developer to implement one-way encryption, and it should set off alarm bells if your developer isn’t using this, as well as the other items mentioned above.
What if I’m using off-the-shelf software? Is that encrypted?
There’s no guarantee that general software is fully encrypted, and there are examples from recent years of huge organisations allowing data to be leaked due to lack of encryption: https://www.bbc.co.uk/news/technology-13231307
But aside from being careful with the passwords you use, crossing everything and hoping for the best, you can only control software that you’ve had developed on a bespoke basis. This is one of many reasons why having bespoke software made for your business by a trusted techie is a good idea. You have to trust in technology, and having a solid, honest relationship with a software developer will put you in a very good position.
Are you worried about keeping your data safe? Do you suspect your current software isn’t secure enough? If you need some guidance and support, drop us a message and let’s chat.