The Plain English Version
Encryption scrambles your data so only people with the right key can read it. Think of it as putting your information in a locked box - even if someone steals the box, they cannot access what is inside without the key.
If encrypted data is stolen in a breach, it is significantly harder (often impossible) for attackers to use it. This is why encryption is considered a fundamental security control.
Two Types You Need to Know
At Rest: Protecting data stored on devices, servers, or in the cloud. Your laptop hard drive should be encrypted so a thief cannot read your files.
In Transit: Protecting data as it travels across networks. HTTPS encrypts data between your browser and websites. VPNs encrypt your internet traffic.
Why Encryption Matters for Compliance
Under GDPR, encryption is specifically mentioned as an appropriate technical measure. If you suffer a breach but the data was properly encrypted, you may not need to notify affected individuals - the data is unusable to attackers.
Many frameworks (ISO 27001, Cyber Essentials, PCI DSS) require or strongly recommend encryption for sensitive data.
Common Encryption Mistakes
- Not encrypting laptops - Lost or stolen devices are a major breach source
- Weak key management - Encryption is only as good as how you protect the keys
- Assuming cloud means encrypted - Check your provider settings
- Using outdated algorithms - Some older encryption can be broken
- Not encrypting backups - Often overlooked but critical
Getting Started
Enable full-disk encryption on all devices (BitLocker for Windows, FileVault for Mac). Ensure your website uses HTTPS. Check that your cloud services encrypt data at rest. Review how encryption keys are stored and who has access.