In other posts covering the security of your church’s information technology infrastructure, we have covered topics such as multi-factor authentication, UTM firewalls, email security practices, password management, security training, and the implementation of documented security policies. Even if all of these policies are observed conscientiously, there are still opportunities for cybercriminals to wreak havoc on your church’s technology systems. Disk encryption is a vital additional method of protecting your systems and thwarting those determined to misappropriate your data.
What is Disk Encryption and Why Do I Need It?
Disk Encryption enables you to store the information on your technology devices in a state that cannot be easily accessed by an unauthorized user. So, even if a cyber thief obtains access to your data, it will be difficult for him to read and utilize this data.
Disk encryption is particularly important when a thief obtains physical access to and steals your computer. Once a person has physical access to your computer, a login password requirement will be all but useless in preventing that person from accessing your files. The thief simply needs to remove the hard drive and access it via a different computer of his own. In this scenario, without disk encryption, a church is all but defenseless.
In some cases, the thief can reset your local device account passwords and obtain access to things on your device, like your email. From your email, they could reset passwords and gain access to web-based accounts. They can also obtain password information from any account passwords that you have stored in your browser. (Important Tip: please do not store password information in your browser! Although it is convenient, it is a security risk that you should avoid.)
All Disk Encryption is Not Created Equal
There are various ways that encryption can be utilized – from individual files to an entire disk. With full disk encryption, the encryption key is generally stored on a hardware chip inside your system. At boot, your system “unlocks” the disk, making it accessible to the operating system. If a malicious user were to remove the drive, they could not decrypt its contents. If, however, the thief were able to steal your device and also obtained your password, the system decryption would now allow him unfettered access to your data.
Many computer operating systems have in-built methods for encrypting local disks, some of which are very easy to use. Windows 10 Professional and Enterprise come with an included encryption platform called BitLocker. MacOS also includes their version of the same thing called FileVault. Modern versions of iOS and Android also include a built-in encryption mechanism. Finally, if your operating system does not natively support disk encryption, there are a plethora of third party tools that can help.
Caveat: Before deploying these built-in methods for encryption, always make sure that your IT staff participates in the process. If a staff member enables encryption without taking the appropriate steps to be able to decrypt the device, the staff member would not be able to use the device and the IT team would not be able to service the device.
A “Key” Consideration
Regardless of how you choose to enable encryption, it is critical to record a copy of the key that can be used to decrypt your data! The point may seem obvious, but history shows that it is worth emphasizing – if a malicious party can’t get to your data without the key, neither can you. In some cases, you can store these keys automatically. In other cases, you will need to manually store the keys. Most encryption tools will prompt you to create a backup of the keys during the point at which you enable encryption. Your IT team can also enact policies to automatically retrieve these keys and store them in a secure location. Having a robust key recovery mechanism is critical so that you don’t lock yourself out of your own data.
Written by: James Vavra, Senior Engineer, Enable Ministry Partners