IT Services

Encryption for Business: A Complete Guide

Published on: 20 September 2023

In 2022, Lifespan Health System paid $1.04 million to settle HIPAA violations after an employee’s unencrypted laptop was stolen from their car. The laptop contained electronic protected health information (ePHI) for over 20,000 patients. The data wasn’t accessed through some sophisticated cyberattack — someone broke a car window and grabbed a laptop. The entire liability stemmed from one missing checkbox: full disk encryption wasn’t enabled.

That’s the reality of encryption in business. It’s not an abstract security concept. It’s the difference between a stolen laptop being an inconvenience (file an insurance claim, ship a replacement) and a stolen laptop being a six-figure regulatory disaster with mandatory breach notifications to every affected individual.

Encryption at Rest vs. Encryption in Transit

These are the two fundamental categories, and they protect against different threats.

Encryption at Rest

This protects data stored on devices and drives. If someone physically steals a laptop, removes a hard drive from a server, or gains access to a cloud storage bucket, encrypted data at rest is unreadable without the decryption key.

The standard for encryption at rest is AES-256 (Advanced Encryption Standard with a 256-bit key). AES-256 is used by the U.S. government for classified information, and with current computing technology, brute-forcing a 256-bit key would take longer than the age of the universe. It’s the default for every serious encryption implementation.

Encryption in Transit

This protects data as it moves across networks — between your computer and a web server, between office locations over a VPN, or between your email server and a recipient’s server. Without encryption in transit, anyone who can intercept the traffic (on a coffee shop WiFi network, for example, or through a compromised router) can read it.

The current standard for encryption in transit is TLS 1.3 (Transport Layer Security). TLS 1.3, finalized in 2018, is faster and more secure than its predecessors. It reduced the handshake from two round trips to one, eliminated support for weak cipher suites, and mandated forward secrecy — meaning even if a server’s private key is later compromised, past communications remain protected.

If your organization is still running TLS 1.0 or 1.1 (and some are — especially on legacy internal applications), you have a genuine security vulnerability. PCI DSS has prohibited TLS 1.0 since 2018, and all modern browsers have dropped support for anything below TLS 1.2.

The Encryption Types You Need to Know

AES-256 (Symmetric Encryption)

AES uses the same key for encryption and decryption. It’s fast, efficient, and ideal for encrypting large amounts of data — full disks, databases, file archives. When someone says “256-bit encryption,” they almost always mean AES-256.

AES-256 is what BitLocker, FileVault, VeraCrypt, and virtually every cloud storage provider uses under the hood. AWS S3 server-side encryption, Azure Storage Service Encryption, and Google Cloud’s default encryption all use AES-256.

RSA (Asymmetric Encryption)

RSA uses a pair of keys — a public key that anyone can have, and a private key that only you possess. Data encrypted with the public key can only be decrypted with the private key, and vice versa. RSA is slower than AES, so it’s typically used to encrypt small pieces of data, like encrypting the AES session key at the start of a TLS connection.

RSA with 2048-bit keys is the minimum accepted standard. Many organizations are moving to 4096-bit keys or transitioning to elliptic curve cryptography (ECC), which provides equivalent security with shorter keys and better performance.

How They Work Together

In practice, most encrypted communications use both. When you connect to a website over HTTPS:

  1. Your browser and the server use RSA (or ECC) to securely exchange a random AES session key
  2. The rest of the conversation is encrypted with AES, which is much faster for bulk data transfer

This hybrid approach gives you the key exchange security of asymmetric encryption and the performance of symmetric encryption.

Endpoint Encryption: Protecting Laptops and Workstations

Every business laptop and workstation should have full disk encryption enabled. Full stop. This is the single most impactful encryption measure you can implement, and it’s free with every modern operating system.

BitLocker (Windows)

BitLocker is built into Windows 10/11 Pro and Enterprise. It encrypts the entire drive with AES-256 and ties the decryption key to the TPM (Trusted Platform Module) chip on the motherboard. When the authorized user logs in, the drive decrypts transparently. If someone removes the drive and puts it in another machine, the data is inaccessible.

Key deployment considerations:

  • Recovery key management is critical. If a user forgets their PIN or the TPM fails, the recovery key is the only way in. Store recovery keys in Active Directory or Azure AD — never let users write them on sticky notes.
  • Use Group Policy to enforce BitLocker on all domain-joined machines. The policy Require additional authentication at startup lets you mandate a PIN at boot, adding a layer beyond just TPM.
  • BitLocker To Go encrypts removable USB drives. If your employees transfer data on thumb drives (and they probably do, even if you’ve told them not to), enforce BitLocker To Go through Group Policy.

FileVault (macOS)

FileVault uses XTS-AES-128 encryption on Macs. On Apple Silicon Macs (M1 and later), the drive is always encrypted at the hardware level — FileVault just controls whether a password is required at boot. Enable it through an MDM solution like Jamf, Mosyle, or Microsoft Intune, and escrow recovery keys centrally.

Linux (LUKS)

LUKS (Linux Unified Key Setup) is the standard for full disk encryption on Linux. It’s typically configured during OS installation. For enterprise deployments, manage keys through a centralized system rather than leaving them on individual machines.

Email Encryption: The Forgotten Layer

Email is one of the least secure communication channels in common business use. Standard SMTP sends messages in plaintext between servers. Even if your email provider uses TLS for server-to-server transmission (and most do now), the message is stored unencrypted on both the sending and receiving servers.

S/MIME (Secure/Multipurpose Internet Mail Extensions)

S/MIME provides end-to-end encryption for email using digital certificates. Each user gets a certificate from a certificate authority (like DigiCert or Sectigo). Messages encrypted with S/MIME can only be read by the intended recipient — not the email provider, not your IT department, not a subpoena-wielding attorney without the private key.

S/MIME is supported natively in Outlook, Apple Mail, and most enterprise email clients. The challenge is certificate management — issuing, renewing, and revoking certificates for every user who needs encrypted email.

Microsoft 365 Message Encryption

If you’re on Microsoft 365, Message Encryption (OME) is a more practical option for most businesses. Users can encrypt individual messages with a button click, and recipients don’t need their own certificate — they authenticate through their Microsoft account or a one-time passcode. It’s not true end-to-end encryption (Microsoft holds the keys), but it satisfies most business compliance requirements.

What Happens When Encryption Is Missing: Real Consequences

The stolen laptop scenario isn’t hypothetical. Here are the stakes by regulation:

HIPAA (Healthcare)

  • A lost or stolen device containing unencrypted ePHI triggers mandatory breach notification to every affected individual, the Department of Health and Human Services, and (if over 500 people are affected) local media
  • Fines range from $100 to $50,000 per violation, up to $1.5 million per year for each violation category
  • Encryption is an “addressable” safeguard under HIPAA — meaning if you chose not to encrypt and something happens, you need to explain why your alternative was equivalent. Good luck with that argument.

PCI DSS (Payment Card Industry)

  • Storing cardholder data on unencrypted devices violates Requirement 3 (Protect stored cardholder data) and Requirement 4 (Encrypt transmission of cardholder data across open, public networks)
  • Non-compliance can result in fines of $5,000-$100,000 per month from card brands, plus liability for any fraudulent transactions

State Breach Notification Laws

All 50 states have breach notification laws. Most include a safe harbor provision for encrypted data — if a stolen device was properly encrypted, you don’t have to notify. Without encryption, you’re mailing letters to every person whose data was on that device, paying for credit monitoring, and dealing with the reputational fallout.

The Math

Consider a 200-employee company in healthcare. An unencrypted laptop with a patient database is stolen:

  • Breach notification costs: $5-$15 per affected individual (printing, mailing, call center)
  • Credit monitoring: $10-$20 per person for 12-24 months
  • Legal fees: $50,000-$200,000
  • HIPAA fine: $100,000-$1,500,000
  • Reputational damage: incalculable

Total potential cost: $200,000 to $2,000,000+

The cost of enabling BitLocker on every laptop in the organization: $0 (it’s included with Windows Pro). The cost of an MDM solution to manage it centrally: $3-$8/device/month.

Building an Encryption Policy

A practical encryption policy for a small to mid-size business should cover:

  1. Full disk encryption required on all endpoints — no exceptions, enforced through MDM or Group Policy
  2. Recovery keys escrowed centrally — in Active Directory, Azure AD, or your MDM platform
  3. Removable media encrypted or blocked — BitLocker To Go for USB drives, or disable USB storage entirely through policy
  4. Email encryption available for sensitive communications — OME for Microsoft 365 shops, S/MIME for higher-security needs
  5. TLS 1.2+ required for all web-facing services — disable TLS 1.0 and 1.1 on servers, load balancers, and firewalls
  6. Cloud storage encryption verified — confirm that your cloud providers encrypt data at rest (most do by default, but verify and document it)
  7. VPN required for remote access — all traffic between remote workers and company resources should traverse an encrypted tunnel

Getting Encryption Right

Encryption is one of those security controls that delivers outsized value for minimal effort. The technology is mature, the tools are built into the operating systems you already use, and the cost of not doing it is astronomical compared to the cost of implementation.

If you’re not sure where your organization stands on encryption — whether endpoints are protected, whether your email is secured, whether your cloud data is encrypted at rest and in transit — that uncertainty itself is the problem.

Exodata’s security team helps Nashville businesses implement encryption policies, deploy endpoint protection, and build security frameworks that satisfy compliance requirements without drowning in complexity. Whether you need a full security assessment or just want to make sure your laptops are encrypted before the next one walks out the door, reach out to start the conversation.

Related Posts

IT Services

NIST Compliance Guide for Businesses (2026)

Step-by-step guide to achieving NIST compliance. Learn the framework, key controls, and how to build...

 IT Services

IT Disaster Recovery Plan Template (2026)

Build a complete IT disaster recovery plan with this step-by-step template covering RTO, RPO, risk a...

 IT Services

Disaster Recovery Plan: Essential Elements (2026)

A disaster recovery plan keeps your business running after cyberattacks, hardware failures, or natur...

 IT Services

Intune vs SCCM: Which Should You Use? (2026)

Compare Microsoft Intune and SCCM (ConfigMgr) for endpoint management. Covers architecture, features...
← Back to Blog