We’ve recently talked about some of the main reasons why you need to encrypt your data. And we showed you the potential consequences when your data isn’t encrypted.
So now that you’re ready to look more closely at encryption in your establishment, where should you begin?
Every educational institution is different, so there is no one-size-fits-all data protection strategy. Before you can put your strategy into an actionable plan, you need to answer the following four questions.
1. How does data flow into and out of your establishment?
Do you receive emails with file attachments, or send them out? Do you receive data on USB sticks or other removable media? How does your school store and share large amounts of data internally and externally? Do you use cloud based storage services like Dropbox, Box, OneDrive, etc.?
What about mobile devices and tablets? According to a Sophos survey, the average technology user carries three devices. How do you rein in the wide range of devices that have access to data?
You should look for an encryption solution that is built to adapt to the way you use data and how data flows within an establishment.
2. How does your educational institution and your individuals make use of data?
What are your employees’ workflows, and how do they go about making their day-to-day jobs more productive? What tools, devices or apps do your students use and do any of those present a possible vector for data loss?
You need to understand how employees and students use third-party apps, and whether you should prohibit what is often called “shadow IT,” if you can trust the security of those systems, or bring development of these tools in house.
3. Who has access to your data?
This topic can be both an ethical and regulatory discussion. In some situations, users should not ethically have access to certain data.
Worldwide, there are some data protection laws that stipulate only those who need data to perform their tasks should have access to it; everyone else should be denied. Do your employees have access to just the data they need to do their job, or do they have access to data they do not need?
4. Where is your data?
Centralized and mostly contained in a data center? Completely hosted in the cloud? Sitting on employee laptops and mobile devices?
According to a Tech Pro Research survey, 74% of organizations are either allowing or planning to allow their employees to bring their devices to their office for business use (BYOD). Employees are carrying sensitive corporate data on their devices when they work from home and on the road, increasing the risk of data leaks or compliance breaches. Think how easy it would be to access confidential information about your school if an employee’s smartphone gets stolen or misplaced.
Challenges and solutions
According to the 2015 Global Encryption & Key Management Trends Study by the Ponemon Institute, IT managers identify the following as the biggest challenges to planning and executing a data encryption strategy:
• 56% – discovering where sensitive data resides in the organization
• 34% – classifying which data to encrypt
• 15% – training users on how to use encryption
Unfortunately, there is no one-size-fits-all solution to these challenges. Your data protection plan must be based on your school: the type of data your school works with and generates, local regulations, and the size of your school.
Your school needs to understand how to comply with a clearly defined data protection plan and how to use encryption. They must be clearly told which data they have access to, how this data needs to be accessed and how they can protect this data.
Most importantly, you need to ensure that you can both offer and manage encryption in such a way that it doesn’t impact the school’s workflows.