Cyber Essentials, the UK government-backed certification that’s highly recommended for financial institutions to use as a starting reference point for securing users and client data, does not mandate the use of encryption. This certification, provided by the National Cyber Security Centre (NCSC), is a vital framework for businesses looking to bolster their cyber security posture.
Encryption ensures that when (not if) data is intercepted or accessed without authorisation, it remains unreadable and unusable to attackers. Without encryption, organisations expose client data in the event of a breach (and sometimes even without a breach, if it’s in the public domain), putting them at significant risk of financial and reputational harm. This is crucial for our friends in the financial services industry that handle sensitive customer information and proprietary business data.
We view encryption as an integral part of a well-rounded cybersecurity strategy. Businesses should consider going beyond the minimum standards set by Cyber Essentials and implement encryption to protect their data. It’s important to understand that this does bring additional challenges when dealing with and processing data, however, consulting with a technology and cybersecurity professional can help tailor a security setup that aligns with specific business needs.
Here’s a few pointers to run by your IT team or IT vendor:
- End-user devices (i.e. phones and workstations) should have their hard drives encrypted.
- Enforce encryption of flash drives, or better yet, ban them completely and make use of corporate sharing tools (i.e. SharePoint/etc).
- Check if your email server enforces sending and receiving encrypted messages, and rejects outright unencrypted messages.
- Investigate Secure Messaging tools and consider them within your business use case, for example, when receiving confidential information from clients (passports, government IDs, etc).
- Ensure that data-at-rest in your CRM, sales tools, marketing platforms, and accounting software is encrypted by default.
- And finally, mandate that any and all company backups use encryption regardless of their location (and especially for those that are kept outside of your regular environments).
I have personally experienced and have worked with a financial services client that faced a harsh reality about the necessity of backup encryption. The firm experienced a ransomware attack that not only compromised their primary systems but also infected their backups. Since the backups weren’t encrypted, the attackers accessed and corrupted that data as well. Without clean backups to restore, the business endured significant downtime, financial losses, and a loss of client trust.
Backup encryption is essential. It adds a crucial layer of protection, ensuring your recovery data remains safe and untouched, even during an attack.