Learn how mobile encryption can protect the data on your device
With the rise in mobile devices, it makes sense that more businesses are using mobile devices to process, store, and transmit card data. But with the rise in technology comes the rise in all sorts of security issues. One common issue is stolen or lost devices.
Say you have a tablet that has sensitive information on it, such as card data, personal information, etc. If that tablet is stolen, all that data is now in the wrong hands. So how do you secure that data? Things like physical security and mobile device policies are good at protecting the device itself, but one way to protect the data on the device is encryption.
What is encryption?
The idea is to protect your data from falling into the wrong hands, should someone get ahold of a mobile device. Full disk encryption (FDE) encrypts all the data on your storage device.
Full disk encryption is basically encryption on a hardware level. It automatically converts data on a hard drive into something that can’t be deciphered without the key. Without the right authentication key, the data is inaccessible, even if a hard drive is removed and placed in another machine.
What’s nice about FDE is it’s automatic, so it requires no special action from the user other than providing a key. As data is written, it’s automatically encrypted, and as it’s read, it’s automatically decrypted.
Mobile devices like smartphones and tablets have encryption options that will also provide protection of storage. In this case, it’s not typically a disk but is still just storage that’s encrypted and accessed using some key. It’s usually just a matter of enabling the appropriate options and an extra step to provide a key.
Why should I use encryption?
If your organization deals with a lot of mobile devices that carry critical data, it’s a good idea to make sure none of that data falls into the wrong hands. Using encryption is another step to properly securing your data. Taking this extra step in security can help many organizations.
This can also protect you from liability. If a device is lost or stolen, and it was fully encrypted, organizations don’t have to report a breach.
What should I use encryption for?
Encryption is really useful for laptops and other smaller devices that can be physically stolen/lost. This ensures that should a laptop, phone, USB, etc. is stolen or lost, the data is still secured. While it may be true that encrypting mobile devices is not required by all government or financial mandates, taking this extra step in security can help many organizations.
Basically, you should consider encryption for any mobile device that is storing sensitive data.
What type of encryption should I get?
There are many different types of encryption software and tools. Some come with other security elements included. Many computers and software already come with options like full disk encryption. But the problem is this software is usually available on most devices, but many businesses don’t realize it hasn’t been implemented. Fortunately, it’s fairly easy to activate encryption on devices.
Check if your current software offers storage encryption. If not, there are plenty of tools that offer encryption.
How secure is encryption?
Keep in mind that encryption doesn’t guarantee the security of your data. Encryption keys can still be stolen. With full disk encryption, cold boot attacks can be used where keys are stolen by cold booting a machine, then dumping the contents of its memory before the data disappears. Some best practices are to secure the encryption key properly, employ a strict password policy, and limit access to these keys.
So if your business uses a lot of mobile devices, implementing encryption is a great security tool to protect your data.
George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Principal Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.