Encryption is one of those IT security terms that gets mentioned frequently but rarely explained in a way that’s useful for business owners making practical decisions. It’s not just a technical detail — for UK businesses handling customer data, it’s a legal and commercial necessity.

Here’s a straightforward explanation of what encryption does, where your business should be using it, and what the consequences are of getting it wrong.

What Is Encryption?

 

Encryption is the process of converting readable data into an unreadable format that can only be decoded by someone with the correct decryption key. If encrypted data is intercepted — whether during transmission across the internet or as the result of a device being stolen — it is useless to anyone without that key.

The underlying mathematics of modern encryption is extraordinarily complex, but the practical effect is simple: encrypted data is protected even if it falls into the wrong hands.

Two types of encryption are relevant for most businesses:

Encryption in transit protects data as it moves between systems — for example, between your browser and a website, or between email servers. This is what HTTPS provides when you see the padlock in your browser address bar.

Encryption at rest protects data that is stored — on a device, a server, or in cloud storage. If a laptop containing sensitive customer data is stolen, full-disk encryption ensures that data cannot be accessed without the correct credentials.

Why Encryption Matters Under UK GDPR

 

The UK General Data Protection Regulation (UK GDPR) doesn’t mandate encryption by name, but it does require businesses to implement “appropriate technical measures” to protect personal data. The ICO — the UK’s data protection regulator — explicitly cites encryption as an example of an appropriate technical measure, and its absence is likely to be viewed unfavourably in the event of a data breach investigation.

Critically, encryption can affect the outcome of a breach notification assessment. Under UK GDPR, businesses must report certain data breaches to the ICO within 72 hours. However, if the breached data was properly encrypted, the risk to affected individuals is significantly reduced — which may affect whether a breach requires notification at all.

For businesses that handle customer personal data, financial records, or confidential business information, encryption is not optional.

Where Your Business Should Be Using Encryption

Device Encryption

Every business laptop, desktop, and mobile device that accesses company data should have full-disk encryption enabled. On Windows devices, this means BitLocker — Microsoft’s built-in encryption tool. On macOS, the equivalent is FileVault.

Device encryption ensures that if a laptop is lost or stolen, the data on it cannot be accessed by simply removing the hard drive or booting from external media. This is particularly important for remote and hybrid workers whose devices leave the office regularly.

Email Encryption

Standard email is not inherently secure. Messages transmitted between servers can potentially be intercepted, and email remains one of the most common vectors for data theft. For businesses sending sensitive information by email — contracts, financial data, personal information — email encryption adds a meaningful layer of protection.

Microsoft 365 includes email encryption capabilities through Microsoft Purview Message Encryption, which allows businesses to send encrypted emails to recipients inside and outside the organisation.

Microsoft 365 and Cloud Data

Data stored in Microsoft 365 — including SharePoint, OneDrive, and Exchange Online — is encrypted at rest and in transit by Microsoft as standard. However, this does not mean businesses have no responsibility for the data they store there. Access controls, permissions management, and data governance policies all play a role in ensuring that encrypted data is only accessible to the right people within the organisation.

Data in Transit

Any web-based application or portal your business uses to transmit or collect data should be doing so over HTTPS, which encrypts the connection between the user’s browser and the server. This is now standard for reputable services, but worth verifying for any legacy or third-party systems your business relies on.

Backup Encryption

Backups contain a full copy of your business data and are an increasingly common target for ransomware attacks. Ensuring that backup data is encrypted — both in transit and at rest — means that even if backup storage is compromised, the data within it remains protected.

Common Encryption Gaps Businesses Miss

 

Even businesses that consider themselves well-protected often have gaps:

Unencrypted USB drives and portable media. Staff copying data to unencrypted USB drives for convenience creates a significant risk if those drives are lost. Encrypted USB drives and policies restricting use of removable media are worth considering.

Personal devices used for work. In businesses without a formal mobile device management policy, employees accessing work email or files on personal devices may be doing so on unencrypted or unmanaged hardware.

Legacy systems. Older software and on-premise systems may not support modern encryption standards. Identifying and addressing these gaps is an important part of any security review.

Weak key management. Encryption is only as strong as the protection of the keys used to decrypt data. Poor key management — such as storing encryption keys alongside encrypted data — undermines the protection encryption provides.

Encryption as Part of a Broader Security Strategy

 

Encryption is a critical layer of protection, but it works best as part of a broader security approach that includes multi-factor authentication, access controls, patch management, and employee awareness. No single measure provides complete protection — the goal is to make your business a sufficiently difficult target that attackers move on.

At Via Wire, we help businesses assess and improve their security posture, including device encryption, Microsoft 365 security configuration, and mobile device management through Microsoft Intune. Get in touch today to discuss your business’s security requirements.