Encrypt – and protect – your business data

Encryption is an essential tool for securing the data that your company creates or collects. Data breaches pose a number of risks to businesses, ranging from loss of intellectual property or know-how to leakage of personal data. This can damage your reputation, result in hefty fines and threaten the future of your business.

Reading time icon

5 min read

Reading time icon

5 min read

What is encryption and what does it protect?

Encryption is the process of encoding information so that it cannot be accessed by unauthorized persons. If your company’s encrypted data is leaked, anyone who steals or finds the data will not be able to read it, as it is unintelligible without the proper decryption key.

Many people are not aware that a lot of information is already protected by encryption technology. For example, online shopping and internet banking would not work without good encryption. Encryption is designed to protect money and personal information. As for the business environment, encryption should be used to protect your company’s intellectual property and know-how as well as the personal data you process within your company.

Read more

Intellectual property and know-how can include the products or services created by your company. They can also be the methods you use to successfully sell those products, or the processes used to ensure that they function effectively throughout their life cycle. Similarly, they may include business and marketing plans for the next calendar year. All this information can be monetized or misused by a cyberattacker or thief.

Personal information that your company collects and processes may include information about your customers and employees. You are required by law to protect access to such data, as stipulated by the European Union's General Data Protection Regulation (GDPR).

Is your business compliant?

Make sure your company's security practices follow relevant compliance regulations.

PCI

Do you take credit cards?

GLBA

Do you handle financial transactions for customers?

HIPAA

Do you process healthcare data?

SOX

Are you a public company?

GDPR

Do you do any business in EU?

CCPA

PIPA

J-SOX

Required
Recommended, not required
Not recommended, not required

Is your business compliant?

Make sure your company's security practices follow relevant compliance regulations.

Required
Recommended, not required
Not recommended, not required
No mention

PCI

Do you take credit cards?

Antivirus + antimalware
Personal Firewall
Encryption
Two-factor authentication
Central management

 

GLBA

Do you handle financial transactions for customers?

Antivirus + antimalware
Personal Firewall
Encryption
Two-factor authentication
Central management

 

HIPAA

Do you process healthcare data?

Antivirus + antimalware
Personal Firewall
Encryption
Two-factor authentication
Central management

 

SOX

Are you a public company?

Antivirus + antimalware
Personal Firewall
Encryption
Two-factor authentication
Central management

 

GDPR

Do you do any business in EU?

Antivirus + antimalware
Personal Firewall
Encryption
Two-factor authentication
Central management

 

CCPA

Antivirus + antimalware
Personal Firewall
Encryption
Two-factor authentication
Central management

 

PIPA

Antivirus + antimalware
Personal Firewall
Encryption
Two-factor authentication
Central management

 

J-SOX

Antivirus + antimalware
Personal Firewall
Encryption
Two-factor authentication
Central management

CCPA and "reasonable security": Are you ready?

The CCPA may apply to you even if your business isn't California-based. Find out whether you're affected and assess your readiness with our interactive quiz and guide to CCPA security.

Do you know what to do if your company has leaked personal information?

Povinnosť oznámenia incidentu regulátorovi

Obligation to notify the regulator:

You have to report any personal data breach to the relevant data protection authority. This obligation applies not only to major incidents, such as large database leaks, but also to minor mistakes. For example, if you mix the contents of envelopes intended for two different recipients erroneously, you must report it.

72 hodín na oznámenie incidentu

72 hours

You have to notify the relevant supervisory authority about the incident within 72 hours from the moment you become aware of it, so not from the moment the incident occurred. However, if this time limit is not met, the delay in notification (i.e. the reasons the breach was not reported within 72 hours) must be justified.

Povinnosť oznámenia incidentu jednotlivcom

Obligation to notify affected individuals

In more serious cases, apart from notifying the data protection authority, you must also inform the individuals whose data have been affected by the incident. However, this step is not required if the incident occurred after your company had implemented appropriate technical and organizational security measures, in particular those that render the personal data unintelligible to any person unauthorized to access it. The rather complicated legal term “technical measures” refers to encryption.

Possible fines related to GDPR

Failure to fulfil the obligation to report a data breach to the relevant supervisory authority is punishable by a fine of up to €10 million or, in the case of a company, up to a maximum of 2% of its annual worldwide revenue from the previous financial year. In addition to a high financial penalty, the data protection authority may also enact the following:

  • a temporary or definitive limitation, including a ban on processing of personal data
  • deletion of personal data

This means that you could either lose all the contacts for your existing customers, or your company could be temporarily banned from storing such data.

Data breaches affect businesses of all sizes

Many businesses believe that they are not vulnerable to cyberattacks or data breaches because of their small size and limited assets. Unfortunately, this is not the case: according to analysts IDC, small and medium-sized businesses are the victims of more than 70 percent of security breaches. The good news is that companies do not need to report cyberattacks unless personal data has been compromised or leaked.

Because of the false impression that other businesses do not face cyberattacks, companies may feel ashamed or fear negative attention if they report an attack.

ESET has observed that for the first year after the GDPR came into force, the supervisory authorities in Europe were still familiarizing themselves with the new rules. It is likely that they will now impose more fines.

However, experience shows that if affected companies cooperate, they tend to receive lower penalties. It also appears that if your company is not an internet giant, you are unlikely to get a maximum-level fine.

We therefore recommend that organizations always observe the notification obligation, cooperate with the supervisory authorities and educate their employees on what personal data is and how it should be protected.

ESET encryption solutions

ESET Endpoint
Encryption

ESET Endpoint Encryption protects sensitive data on corporate devices by means of encryption. It provides encryption of files and folders, emails and attachments, removable media, virtual disks as well as the entire disk. It is easy to use, offers full remote control of encryption keys and requires no server for deployment. Get a 30-day free trial and try ESET Endpoint Encryption in your company.