TechSoup Blog

Encryption and Nonprofits

Written by Nick Mediati | Mar 2, 2020 9:17:06 PM

As nonprofits, we often handle sensitive information about those we serve. And in many cases, we handle data of vulnerable or at-risk populations, whether it's refugees, children, homeless individuals, or domestic violence survivors. We work in parts of the world where the safety of vulnerable individuals isn't guaranteed. It wouldn't be a stretch to say that sometimes people's lives depend on our data security.

There is no single thing you can do that will magically keep your data secure, but on-device encryption should be a key part of your data privacy and security best practices. In this blog post, we'll outline what encryption is and why it matters.

What Is Encryption, Anyway?

Have you ever passed notes where you had to use a "secret code" to decipher it? Maybe you used numbers as a stand-in for letters or scrambled the order of the alphabet. If you did, you used a simple form of encryption.

At a basic level, encryption is a way of encoding information so that if it's intercepted by someone who shouldn't have access to it, it would be difficult — or practically impossible — for them to decipher it. Only those devices or individuals with the proper "key" are able to access it.

Encryption isn't the same thing as password protection, though you may need to enter a password to access encrypted data — like what happens when you enter a passcode to unlock your smartphone. Using a password without encryption is a little like locking your front door. Sure, you'll keep most would-be intruders out, but a determined thief may still find a way in, say by breaking a window or picking the lock.

For a more in-depth explanation of encryption, I suggest taking a look at this primer from HowStuffWorks. And for the sake of this blog post, we'll be focusing on using encryption on your devices, like smartphones, tablets, and computers.

What Encryption Can — and Can't — Protect Against

Encrypting data on your devices can go a long way toward protecting your organization's data against data theft or leakage. If your phone gets lost or stolen, for example, the data on it is less likely to be stolen if it's been encrypted.

This is especially important if you work at an organization where you handle large amounts of personally identifiable information about your members. For example, if a cyber criminal gets hold of your list of donors' email addresses, they could wreak all kinds of havoc. They could send your supporters malware or spam, for example. They could even pose as your organization and scam your members or target them as part of a phishing attack.

The stakes are even higher if you work with vulnerable or marginalized communities, such as homeless individuals, refugees, and domestic violence survivors. When used in conjunction with other cybersecurity best practices, encryption can help you safeguard those you serve.

But on-device encryption isn't a cure-all by any means. It may still be possible for your data to get leaked or stolen even if you use encryption on your devices.

If your device is infected with malware, it may not be too difficult for a bad actor to access your data, even if it's encrypted.

When All Bets Are Off

If someone manages to trick you into installing a piece of software designed to steal data off your phone, all bets are off — no amount of encryption will protect you from this kind of social engineering. This exact thing happened to Amazon CEO Jeff Bezos. In his case, he had reportedly received a message via WhatsApp from the Crown Prince of Saudi Arabia's account that carried a malicious file, according to the Guardian. As TheStreet succinctly put it, "If Jeff Bezos' smartphone can get hacked, anyone's can."

It's also possible to exploit software bugs to circumvent security measures, making it easier for someone to hack into a device protected by encryption. For example, some law enforcement agencies use tools that "exploit flaws in the software … to remove the limit of 10 password attempts," according to the New York Times. While this doesn't crack the encryption itself, it makes it easier to get in by allowing for an unlimited number of password guesses.

In addition, encryption does nothing to protect against careless data handling or accidental data leaks. It's still possible to email a file that contains sensitive information to the wrong person, for example.

Using Encryption on Your Mobile Devices

Before we go any further, we should note that if you encrypt your device and then forget your password or passcode, you may be locked out of your data for good.

On iOS and Android devices, using encryption is a relatively simple affair. In fact, as noted by Android Authority, many recent Android devices have encryption turned on by default. If your Android device isn't yet encrypted, you can usually turn it on via a toggle in the Settings app. The exact instructions may vary depending on your device, as Android Authority points out, so you may want to refer to your phone maker for step-by-step instructions.

To encrypt an iPhone, iPad, or iPod Touch, all you need to do is set a passcode or password for your device. To do so, to go the Settings app, tap Touch ID & Passcode, then tap Turn Passcode On and follow the on-screen instructions. You can also make it so iOS or iPadOS will erase the data on your device after 10 incorrect attempts to unlock your device. (It's pretty hard to accidentally erase your phone this way — Apple adds a delay after three or so incorrect password attempts so you don't burn through your 10 guesses too quickly.)

Using Encryption on Computers

Encrypting a Mac or a Windows PC is also fairly simple, but the process can vary depending on your operating system or computer.

Microsoft offers two flavors of encryption for Windows 10: device encryption and BitLocker encryption. According to Microsoft, every edition of Windows 10 offers device encryption support, but it doesn't work on all Windows PCs. BitLocker, which is designed with businesses in mind, is not available on Windows 10 Home Edition. Microsoft has a knowledge base article that outlines how to tell whether your PC supports either of its encryption options and how to turn them on.

On the Mac, Apple's FileVault feature offers full disk encryption, rendering it next to impossible for a would-be data thief to access your data. You can turn it on when you first set up your Mac, or you can switch it on later. To do so, go to System Preferences, click Security, then go to the FileVault tab.

It's Not That Hard to Do

In all the coverage of privacy and security, we don't hear a lot about encrypting the data on our devices. What is interesting is that using encryption tools can go a long way toward protecting your and your organization's data against data theft or intrusion. What is even more interesting is that nowadays it's not that hard to do.

Additional Resources