WinZip Enterprise Blog

Protecting the world's most sensitive data for over 30 years.

Blog Home > WinZip Blog

WinZip Blog

Join WinZip at the Gartner Security & Risk Management Summit!  

We’re pleased to announce that WinZip® will be an exhibitor at this year’s Gartner Security & Risk Management Summit from June 7-10! The event takes place in National Harbor, Maryland, and can be attended either in person or virtually.

Attendees will get a chance to meet with members of the WinZip team at booth #1129. We’ll provide details about the benefits of our WinZip Enterprise and WinZip SafeMedia™ solutions and how they can equip organizations to combat today’s security challenges.

What Is the Gartner Security & Risk Management Summit?

This event is an industry- leading conference focused on accelerating the evolution of security. Over the course of three days, attendees get a chance to sit in on hundreds of sessions that feature the world’s cybersecurity thought leaders alongside Gartner cyber security experts as they share invaluable insights into key security threats, needs, and tactics for 2022 and beyond.

A top theme of this year’s summit is the accelerated adoption of digitalization and agile methodologies among organizations, which has dramatically increased their risk profiles. Companies must now learn how to evolve their security strategies to successfully manage this risk.

Why Should You Attend?

This event is for any security and risk management leaders looking to shore up their company data security plans, processes, and technology to overcome today’s challenges and meet the demands of the future.

Here are three key benefits of attending:

1. Discover how to evolve your security strategy by reframing and simplifying your defenses to prepare for current and future attacks.

2. Get a chance to mingle with some of the most influential members of the cybersecurity community—including our WinZip team! We’re holding several networking events where you can meet with WinZip experts to learn more about our industry-leading technology and how it protects company data.

3. Enter the WinZip raffle for a chance to win a Microsoft Surface Go 3! All attendees who visit the WinZip booth can enter the drawing by simply scanning their badge. We’ll randomly select a winner at the end of the conference and notify them within 30 days of the drawing.

If you haven’t yet registered to attend, don’t wait! Nab your spot while there’s still time.

Once you’ve got your ticket:

  • Stop by the WinZip booth (#1129) during the event to learn how our technology can strengthen your organization’s cybersecurity defenses.

  • Keep reading below for a quick primer on the WinZip solutions we’ll be showcasing at this event.

Gain All-in-One Security for Greater Peace of Mind with WinZip Enterprise

WinZip Enterprise is a best-in-class file encryption, data management, file sharing, and compression solution combined into a single powerful, customizable tool. It protects data using the highest levels of bank and military grade AES encryption, including FIPS 140-2, FIPS 197, and is trusted for DFARS.

With centralized IT control and a single pane of glass for cloud file management, PDF management, endpoint backup, and compliance and encryption, WinZip Enterprise is a trusted choice by Fortune 500 companies in the areas of financial services, healthcare, insurance, and government and military defense.

New features in the latest version of WinZip Enterprise include:

  • Context-aware file management tools, including a streamlined actions pane, Image Manager, PDF express, batch conversion capabilities, quick access to recent contacts and a Files Shared to Me folder, the ability to switch seamlessly between Windows Explorer and WinZip Enterprise, and much more.

  • Updated backup and automation capabilities, including WinZip Secure Backup and enhanced auto clean and organization capabilities.

  • New file compression, packaging, and sharing options, including personal network attached storage (NAS) cloud drive support and WinZip Share Express along with more filter options for zipping files.

WinZip Enterprise offers licensing and support tailored to your business, along with volume pricing.

Request a free WinZip Enterprise quote or POC to learn more.

Protect Sensitive Data On-the-Go with WinZip SafeMedia

WinZip SafeMedia helps organizations keep sensitive data safe by enabling users to store, manage, and transport files on removable media (e.g., USB drives, CDs).

The ability to secure data “on the go” has become essential in today’s remote and hybrid work environments, where employees frequently use their own personal devices for work purposes, including removable storage devices.

WinZip Safe Media is a simple, centrally managed solution that safeguards data on removable storage devices via enterprise-level data security features and military grade encryption.

Key features include:

  • Powerful administrative tools that enable customized settings and monitoring so you can tailor security policies to your organization’s needs.

  • FIPS 140-2 compliant and FIPS 197 certified encryption and compression to protect your data on removable media and in transit.

  • A seamless drag and drop interface with automatic security features that won’t hinder employee productivity.

IT departments responsible for safeguarding cybersecurity for some of the largest organizations in high-risk verticals like financial services, healthcare, insurance, manufacturing, legal/law firms, and government and military defense firms trust WinZip SafeMedia to protect their data.

See the benefits for yourself—get a free WinZip SafeMedia quote or POC.

Data Masking and Data Encryption: How They Work Together

In today’s increasingly distributed workplaces, the need for data protection is at an all-time high. As of February 2022, 42% of remote-capable employees have a hybrid schedule that combines working from home and being in the office. An additional 39% work exclusively off-site.

This shift to remote and hybrid work environments increases the risk of vulnerable data exposure. The use of multiple devices and unsecured networks to access and share data creates new avenues for cyberattacks via unauthorized access.

There are a number of processes available to protect and secure your data. Two of the most common techniques are data masking and data encryption. In this article, we will explore what data masking is, how it differs from encryption, and how they work together for improved cybersecurity.

What is Data Masking?

Making something appear different than its actual form is known as obfuscation. Data obfuscation or data masking protects sensitive elements in a database or across multiple databases, such as:

  • Personally identifiable information (PII)
  • Payment card and other financial information
  • Intellectual property
  • Protected heath information (PHI)
  • Commercially sensitive information

To ensure data privacy, data masking replaces real data with modified values, such as characters or numbers. For example, replacing customer names with a standard value (e.g., ‘John Doe,’ ‘Jane Doe’) preserves the original data format while protecting the real names from unauthorized identification.

By masking sensitive information, you are able to retain and share the data across systems and databases while minimizing security risks. There are two main forms of data masking: static and dynamic.

Static data masking protects sensitive data when it is moved from the production environment for the purpose of research, troubleshooting, analytics, and reporting. The masked data is duplicated into a separate database, or external environment, where it can be shared with both internal and external stakeholders. This is a one-way, irreversible process that enables testing, training, and development without compromising the original data.

Dynamic data masking, by comparison, masks data in real-time production environments. It does not require a secondary database to hold the masked data. Instead, dynamic masking occurs in real-time in response to user requests. Authorized users are able to view the original, unaltered data, and unauthorized users see masked data values.

How is Data Masking Different Than Data Encryption?

Data encryption and data masking are distinct methods of data protection. They are designed to solve different problems related to data security.

Encryption uses sophisticated algorithms to encode the original data into an unreadable ciphertext. It is widely used to protect sensitive data against external threats, such as hackers and other cybercriminals. Data encryption is most useful when you do not require real-time data usability, making it well-suited to protect data at rest or in transit.

Data masking is especially useful for data in use, which is data that is being directly accessed by one or more users. For example, teams often need to access data for work in non-production environments, such as quality assurance, development, and testing. Masking renders realistic values that maintain the data integrity needed for such processes without exposing sensitive information. This safeguards data from internal threats, including both malicious and unintentional errors.

Unlike encryption, data masking is irreversible. Once sensitive data is masked, there is no way to transform it back to its original state. As long as you have the correct decryption key, encryption is reversible and the ciphertext can be restored back to its original state. However, data encryption also introduces risk in the event that the encryption key is lost, deleted, or compromised by unauthorized users.

How Data Masking and Data Encryption Work Together

Encryption and masking are effective methods of guarding against unauthorized access and improper use of sensitive data. Encryption is commonly employed to protect data at rest and in transit. If the network or system is compromised or data transfer is intercepted, encryption renders the data useless to the unauthorized user.

Data masking is more appropriate for data in use. This is because masking hides data from unauthorized users without impacting its usability. As data circulates or is accessed in non-production environments, it is desensitized and protected against internal and external threats.

Highly regulated industries often use a combination of masking and encryption to comply with various data privacy laws. Health Insurance Portability and Accountability Act (HIPAA).

Any organization that handles or processes protected health information (PHI) is subject to HIPAA rules. Data at rest or in transit is addressed in the HIPAA Security Rule, which identifies safeguards for data protection.

According to the Department of Health and Human Services (HHS), encryption reduces the risk of unauthorized exposure or theft of PHI. Title 45 of the Code of Federal Regulations (CFR), Section 164.312, states that covered entities and business associates must “implement a mechanism to encrypt and decrypt electronic protected health information.”

HIPAA rules also seek to preserve the privacy of individually identifiable health information (IIHI). This is information that can be linked to a specific person, so the use and disclosure of IIHI has restrictions to protect the individual’s privacy.

Data masking enables HIPAA covered entities to use and share health data without violating privacy rules. According to 45 CFR Section 164.514, there are 18 identifiers that must be masked within a data set before it can be shared. Under HIPAA, these identifiers include but are not limited to the following:

  • Names
  • Social Security numbers
  • Telephone numbers
  • Medical record numbers
  • Biometric identifiers (e.g., fingerprints, voice)
  • Full-face photos
  • Certificate or license numbers
  • Device identifiers and serial numbers

Once PHI is masked, it can be freely shared for uses such as medical studies and assessments.

Payment Card Industry Data Security Standard (PCI DSS)

The storage, processing, and transmitting of cardholder data is regulated by PCI DSS security standards. While these standards are not set forth by governmental legislative bodies, compliance violations can result in financial penalties based on the discretion of the Payment Card Industry Security Standards Council (PCI SSC).

PCI DSS Requirement 3 provides guidance on protecting cardholder data. Cardholder data consists of the following:

  • The Primary Account Number (PAN), which is the card number displayed on the front of the card.

  • Sensitive Authentication Data (SAD), including the magnetic track data, PIN or PIN block, and card verification value (CVV).

If the data is encrypted, you are allowed to store a cardholder’s name, the PAN, and the card’s expiration date and service code. However, you are not permitted to store SAD information, even if that data is encrypted.

Encryption protects PCI DSS data when it is stored or in transit, while masking preserves confidentiality when sharing or displaying data. This is especially important when it comes to PAN data, which is often targeted because malicious actors can use it to impersonate or steal the cardholder’s identity. Masking requirements for PAN display applies to all display mediums, including computer screens, receipts, reports, and faxes.

General Data Protection Regulation (GDPR)

Organizations subject to the GDPR must meet two comprehensive compliance categories: data protection and data privacy. Data protection safeguards against unauthorized access, while data privacy addresses how data is used and for what purposes.

According to GDPR, a crucial aspect of data privacy is the use of data encryption. To protect consumer data and reduce the risks associated with storage and transfer, the GDPR’s Recital 83 specifically recommends “using techniques such as encryption.”

Data masking can be used to satisfy the GDPR’s mandate that organizations implement data minimization. By removing any real identifiers, organizations can use customer data for analytics, testing, and other support processes while preserving the anonymity of personal information.

The GDPR refers to the data masking process as pseudonymization, which is referenced throughout its Articles and Recitals:

  • Article 6(4) identifies pseudonymization and encryption as appropriate safeguards for processing data for a purpose other than for which it was collected.

  • Article 25 cites pseudonymization as an appropriate technical and organizational measure to meet GDPR requirements.

  • Article 32 requires secure processing techniques, including the pseudonymization and encryption of personal data.

  • Article 89 lists data minimization and pseudonymization as appropriate protections for processing data for archiving purposes.

Protect Sensitive Data with Masking and Encryption

Whenever you collect, store, or transfer sensitive data, you must take appropriate steps to keep it secure. Using a combination of data masking and encryption ensures that you have end-to-end protection to secure data at rest, in transit, and in use.

To protect crucial data with simplified file encryption, organizations look to solutions such as WinZip® Enterprise. With powerful AES encryption that complies with Federal Information Processing Standards (FIPS), your sensitive information is protected at rest and in transit.

Pairing WinZip Enterprise with leading data masking tools makes for comprehensive data security. WinZip Enterprise is fully customizable, giving IT administrators granular control over encryption standards, password policies, backup schedules, and more.

Discover how WinZip Enterprise’s data encryption can work within your organization’s overall cybersecurity framework.

What is data minimization and why do you need to understand It? 

Data collection for business purposes is at an all-time high, with organizations managing 10 times more data on average than they did five years ago. Enterprises often leverage data analytics to uncover meaningful insights within these accumulations of data or data reservoirs, which leads to data-driven decisions that can improve business outcomes.

While data collection is undeniably useful for businesses seeking a competitive advantage, it is not without security risks. Collecting data can open a company up to threats like ransomware, malware, hacking, and data breaches or leakage.

The more data a business collects, the larger the surface area for security risks becomes. This increases the number of vulnerable points in data systems and networks. For example, in July 2021, attackers accessed and hacked T-Mobile servers and databases that contained personally identifiable information of millions of current, former, and prospective customers. According to security experts, this was the result of malicious actors exploiting security vulnerabilities in T-Mobile’s expansive digital landscape. Once the attackers had this backdoor access, they were able to locate valuable data and exfiltrate it.

To mitigate these liabilities, companies are employing data minimization principles. These principles limit the scope of personal data collection and retention to only what is necessary for fulfilling a specific purpose.

In this article, we will delve into what data minimization is, its benefits, and how to apply data minimization principles in your organization. We will also explain how solutions such as WinZip Enterprise® enhance data protection and help you satisfy current data minimization standards.

What is data minimization?

Data minimization is one of the essential data protection principles. Instead of collecting and saving every piece of personal data that crosses your company’s system, the data minimization principle requires you to collect and retain only the minimum amount of data needed to provide a product or service.

First introduced by the EU General Data Protection Regulation (GDPR), the data minimization principle requires that when companies collect and process personal data, it must be:

  • Adequate to satisfy the stated purpose of data collection.
  • Relevant to the rational needs of that purpose.
  • Limited to what is necessary for that purpose.

This means that any data collected is to be used for an immediate and necessary purpose. Data cannot be stored on servers or in the cloud on the off chance of future use. As such, organizations need to collect as little data as possible, limit access to the data, and retain the data for only as long as it is needed.

How to apply data minimization principles

Data minimization consists of two primary best practices:

  • Collect only data that is relevant to the provision of your goods and services.

  • Do not keep the data for longer than is reasonably necessary.

A successful data minimization strategy starts by narrowing the scope of your data collection activities. If a piece of personal data does not directly help you conduct business, it should not be collected.

For example, if your website has a form where visitors can sign up for your mailing list, asking for their date of birth will result in the processing of irrelevant data. However, it would be appropriate to collect personal data such as names and email addresses.

In addition to refining collection processes, data minimization also requires that organizations reduce the volume of data already in their possession. Start by taking a comprehensive inventory of your existing data stack or inventory. This includes not only the overall volume of data the company has, but where it is located, how long it has been stored, and who can access it.

Once you’ve assessed your current data inventory, the next step is to identify the purpose for its collection, such as the delivery of goods and services, advertising, refining marketing strategies, or other business functions.

Be specific in defining the purpose of the data, and ensure that business stakeholders and data subjects both understand how and why it is collected, retained, and used.

Data minimization and regulatory compliance

Numerous privacy regulations highlight the importance of data minimization.

For example, data minimization is addressed in Article 5 and Article 25 of the General Data Protection Regulation (GDPR):

  • Article 5 describes the principles that govern how personal data is processed.

  • Article 25 sets forth requirements for technical and organizational measurements to implement data protection, including data minimization.

Since the GDPR took effect in 2018, there have been over 900 fines issued for violating its principles. In October 2020, for example, clothing retailer H&M was fined 35.3 million euros for violating data minimization principles. The company collected and stored sensitive personal data about its employees, and a lack of access controls led to a company-wide exposure of this protected data following a configuration error.

At the federal level in the United States, data minimization principles are seen in the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA).

  • The HIPAA Minimum Necessary Standard requires covered entities to make a reasonable effort to limit access to protected health information (PHI) to the minimum needed to accomplish a specific purpose.

  • Under the GLBA Safeguards Rule, financial institutions must develop, apply, and maintain processes to securely dispose of customer data within two years after the date of the information’s last usage.

Another privacy standard that deals with data minimization is the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS standards are concerned with securing the confidentiality and privacy of personal cardholder data. The use of data minimization principles can help organizations satisfy PCI DSS Requirement 3 and Requirement 7:

  • Under Requirement 3, unless absolutely necessary for business functions, cardholder data should not be stored at all. For cardholder data that must be stored, it is the organization’s responsibility to limit the storage time and purge data that has reached a specified retention period.

  • Requirement 7 restricts access to cardholder data to only those who need it for specific business responsibilities.

There are also state-level laws that include data minimization principles.

For example, in 2020, the California Privacy Rights Act (CPRA) became the first US privacy law to specifically require data minimization. The CPRA requires that data collection must be limited to only what is necessary for an explicit purpose and that the data be retained for no longer than absolutely necessary.

Virginia also has a comprehensive privacy law—the Virginia Consumer Data Protection Act (CDPA). Companies subject to CDPA must limit the collection of personal data to what is necessary for current business purposes and companies cannot use data without prior disclosure to affected individuals.

Like California and Virginia, Colorado has comprehensive consumer privacy legislation. The Colorado Privacy Act (CPA) limits the collection of personal data to what is necessary in relation to its specified purpose. Collected data cannot be used for secondary purposes unless the individual’s consent is obtained first.

Stockpiling data is a business risk

Even if your enterprise is not subject to regulatory provisions that mandate data minimization, the practice of reducing data storage waste is still beneficial. In the age of big data, there is a tendency for companies to collect and store every piece of data they can for potential future use.

Maintaining large stockpiles of unneeded data not only runs afoul of GDPR and other privacy rules, but it also increases privacy risks and operational costs. Most companies only analyze 12% of the data they have, meaning that the remaining 88% takes up storage space without providing any meaningful value.

Around 5 out of 10 organizations today rely on cloud data storage, and the costs can be substantial. For example, storing a single terabyte (TB) of data costs an average of $3,351 per year, and cloud storage spending accounts for 30% of a company’s IT budget. Accordingly, collecting only the data you need reduces the costs associated with data retention and storage.

Data minimization also creates a smaller digital landscape that needs to be secured against cyber-crime, theft, and loss. The average data breach involves more than 25,000 records and costs the affected organization between $3.86–3.92 million. In the event of a data breach, data minimization practices limit the number of records that could be affected by the incident.

By protecting sensitive data, companies not only avoid potential penalties, but they can also enhance their reputation and build customer loyalty. If a business demands too much of an individual’s information, 84% of consumers will refuse to engage with the brand. Customers are more trusting of companies that take data privacy seriously.

WinZip Enterprise enables comprehensive data protection

Minimizing your company’s data inventory makes it easier to achieve and maintain high levels of information security, and it starts with having the appropriate solutions in place.

WinZip Enterprise is a comprehensive, streamlined solution that protects your organizational data. Thanks to customized access controls, your IT teams can restrict data access based on specific job roles and functions. Your files are kept safe with bank- and military-grade encryption, further reducing the risk of data theft or loss.

To assist in evaluating, managing, and ultimately minimizing your data inventory, WinZip Enterprise finds and flags duplicate files. In addition to reducing the burden on data storage, this process also helps identify and mitigate redundant, obsolete, and trivial (ROT) data.

Redundant data exists in multiple places, whether within a single system or across multiple platforms. On average, around 30% of your storage infrastructure might contain duplicate data. WinZip Enterprise can help companies like yours save thousands of dollars in storage and management fees by eliminating data redundancies.

Discover how WinZip Enterprise can help your organization adhere to data minimization standards and practices.

Incremental versus differential backup for enterprise data storage 

Your organization’s data is perhaps your most valuable asset. It informs business decisions, is used to plan and execute strategies, and helps build and strengthen relationships with customers and business partners.

If any of this data is lost or compromised, how quickly your organization recovers depends largely on whether you have a solid data backup strategy.

There is no one-size-fits-all approach for data backup strategies. That said, the frequency of your business’s data backups will likely be influenced by the type and volume of data your business handles. On average, organizations experience a 63% growth in data volume monthly. This growth rate is faster than a company’s ability to keep up, according to 57% of IT professionals and business managers.

In this article, we’ll explore different options for backing up files, the differences between these options, and how technology can streamline your enterprise backup strategy.

Common file backup options

Backing up your data stores a secure copy in a secondary location that can be retrieved if your original files are lost, corrupted, or destroyed.

There are three primary backup options:

  • Full backup. A full backup duplicates an entire data set in one go, accelerating data restoration after a loss event. Running full backups requires a significant amount of time and storage space, so it is often impractical to run full backups daily.

  • Differential backup. A differential backup copies all the data that has been added or changed since the last full backup. This option saves storage space and decreases backup time.

  • Incremental backup. An incremental backup makes a copy of any updated or new data created after the most recent backup, regardless of whether it was a full or differential backup. This process uses fewer resources, requires minimal storage, and enables high-speed backups.

Full backups are the most comprehensive, as they copy all data in a system. Because all data is located and backed up in one place, this speeds up retrieval time for data restoration. At the same time, running the backup itself is a time-consuming process, and each full backup will consume more of your available storage space.

Differential and incremental backups help ensure continuous data protection between full backup events. While the processes are similar, there are certain attributes to keep in mind when comparing incremental versus differential backup methods.

Differential data backup

Differential backups include all changes since the last full backup. For example, if you run a full backup on Saturday, running a differential backup the following Monday will back up any data changed since Saturday.

If you run another backup on Tuesday, the differential backup will once again make a copy of everything that changed since Saturday’s full backup. With each differential backup, the amount of needed storage space increases.

A differential backup is faster than running a full backup, but slower than an incremental backup. Should you need to restore data, all you need is the last full backup and the last differential backup.

To run a differential backup, your backup solution performs the following steps:

  • A user, program, or automatic schedule requests the backup.

  • The differential backup file saves any changes made since the last full backup.

  • The differential backup file is stored in your designated location.

Incremental data backup

An incremental backup, on the other hand, includes the data changed since any previous backup activity—not just full backups. If you ran a full backup on Saturday, an incremental backup on Monday will only store data added or changed since the full backup you performed on Saturday.

If you run another backup on Tuesday, the incremental backup will only impact data that has been added or changed since Monday’s incremental backup. Since only the most recent incremental changes are backed up, this process requires less storage space than a differential backup.

Incremental backups take less time to run than differential backups because files are not duplicated in their entirety. However, data restoration via incremental backups can take longer than with differential backups because you may have to process multiple backup files.

To run an incremental backup, your backup solution performs the following steps:

  • A user, program, or automatic schedule requests the backup.

  • An incremental backup file saves only the changes made since the last incremental backup.

  • The incremental backup file is stored in your designated location.

How to choose the right backup strategy

Defining a backup strategy starts by understanding your organization’s recovery point objective (RPO). Your RPO represents the maximum amount of time that can pass before data loss impacts your ability to continue normal business operations.

Factors that impact your RPO include:

  • Frequency of file updates. Your RPO should match the frequency of your file updates. This ensures you can retrieve your most up-to-date information with minimal data loss.

  • Business-critical elements. High volume data, dynamic data, or data that is otherwise difficult to recreate demands the shortest RPO possible, such as an hour or less.

  • Regulatory compliance. Some industry regulatory standards may require organizations to maintain continuous data availability, which impacts the amount of data that can be lost without violating these standards following a disruptive event.

On average, operational downtime costs enterprise-level companies up to $700,000 per hour. To keep processes running, your organization should always maintain backups of important data. Your RPO will help you determine how often to perform these backups.

Most organizations use a combination of full, differential, and incremental backup methods to ensure comprehensive data protection. For example, you might run a monthly full backup, a weekly differential backup, and a daily or hourly incremental backup.

While it’s essential to have all data backed up, full backups are usually too resource-intensive to implement regularly. As such, many organizations only run full backups periodically, supplemented by more frequent incremental and differential backups.

Enhance your backup strategy with WinZip Enterprise

WinZip Enterprise® is a comprehensive solution trusted by government agencies, healthcare organizations, and financial institutions to protect critical data via its advanced security features.

With automated backup capabilities, the WinZip Job Wizard allows you to set a specified schedule for running your backups. This frees you of the time-consuming task of backing up data manually so you can focus on more important things.

With WinZip Enterprise, backups are protected with 128- and 256-bit AES encryption, safeguarding your valuable data against loss or compromise. In addition to encrypting and backing up files, WinZip Enterprise maximizes your backup storage with its data compression capabilities.

You can use the Job Wizard to run full, incremental, and differential backups, as well as normal backups. These options enable you to design and execute a backup strategy that best suits your organization’s unique needs.

Learn more about the data backup features of WinZip Enterprise.

What is enterprise file encryption and why do you need it? 

Cybersecurity threats are on the rise. According to a March 2021 Security Signals study, 83% of enterprises have experienced at least one firmware attack since 2019. Moreover, a Check Point cybersecurity report finds that ransomware attacks almost doubled in 2021 compared to 2020, largely due to the increase in remote work environments.

The size of your organization can also increase your risk. While organizations of any size are at risk, the more employees you have, the more chances there are for human error to occur.

At the enterprise level, your company is also at an increased risk of cybersecurity threats due to complex internal processes, interconnected systems, and multiple office locations.

With the growing threat from ransomware and data breaches, security professionals need to evaluate protocols and ensure measures are in place to protect critical data. In this article, we’ll explain what enterprise file encryption is, what it’s used for, and how it can help protect companies like yours from cybersecurity threats.

What is enterprise-level file encryption?

As the term suggests, file-based encryption protects data in files by making it inaccessible without a unique key. This is a more granular layer of protection than full-disk encryption, which works at the device level to prevent unauthorized access.

An enterprise file encryption strategy protects data across its lifecycle. This includes the following data states:

  • Data at rest. At-rest data is stored in a device or database and is not actively moving to other devices or networks.

  • Data in transit. Also known as data in motion, in-transit data is being transported to another location, whether it moves between devices, across networks, or within a company’s on-premises or cloud-based storage.

  • Data in use. Data that is in use is regularly accessed for operations such as processing, updating, and viewing the data.

Without encryption, each data state is vulnerable to theft and corruption due to unauthorized access.

Attackers often target data at rest because it’s easily accessible if proper protection controls are not in place. For example, an employee’s laptop can compromise your data integrity if they are not encrypting data stored on the device. If the laptop itself is stolen or lost, hard disk encryption will keep data inaccessible if a would-be attacker tries to mount the hard disk to another device.

Data in transit is susceptible to man-in-the-middle attacks, which intercept data on the way to its destination. For example, an attacker can access a network through an unsecure Wi-Fi router and capture or manipulate sensitive information.

Data in use is the most vulnerable state because it is directly accessed by one or more users. Without identity management tools, you are at an increased risk of an unauthorized individual trying to access the data.

Enterprise file encryption takes a comprehensive approach to data security, protecting all three states of your data, as well as data moving from one state to another.

The high costs of a data breach

Protecting sensitive data against cyber threats and data breaches is paramount. With today’s more distributed and remote workforces, enterprise organizations are frequently targeted in ransomware and firmware attacks.

Despite the risks, only 50% of organizations have a comprehensive encryption strategy in place. Another 37% have a limited encryption strategy, which means sensitive data could be at risk of unauthorized exposure.

Ransomware, data breaches, and other adverse cybersecurity events wreak havoc on an organization’s financial health. Research has found ransomware attacks average $4.62 million per event, and that doesn’t include the cost of the ransom itself. The other costs of ransomware are connected to the following:

  • Operational disruption and downtime. The cost of downtime following a ransomware event can be 50 times greater than the ransom demand. In 2020, the average ransom demand was $5,600, but the average cost of downtime was $274,200.

  • Recovery and rectification. Recovering from a ransomware attack cost organizations an average of $1.85 million in 2021, and it can take years to restore compromised data and systems.

  • Data loss. Even if you pay the ransom, you might not recover your data. For example, stolen data might be auctioned on the dark web whether or not the ransom was paid. In other cases, faulty decryption tools impact data recovery, and cybercriminals might not return stolen data after receiving the ransom money.

Like ransomware events, data breaches invoke a number of business and non-business costs. For the average $4.24 million security breach, the cost breaks down as follows:

  • Lost business revenue from system downtime, customer turnover, and reputational losses averages $1.59 million.

  • Detection and identification of the breach costs an average of $1.24 million.

  • Post-breach response efforts average $1.14 million.

  • Notifying regulatory agencies, key stakeholders, customers, and the general public of the data breach costs and average of $0.27 million.

How file encryption benefits your organization

File encryption gives companies like yours the ability to control user access and review system activity. Increasing visibility and control over organizational data can help reduce the risk of third-party and insider threats.

Access controls ensure that users have access to only what they need to do their job. Regular review of your user access controls can help you pinpoint insider threats, such as an employee who attempts to access data that is not relevant to their job role.

System activity monitoring gives you greater insight into data usage and access patterns. It can also enhance your overall security by identifying suspicious behaviors. For example, should an employee inadvertently let an attack in through a phishing scam, reviewing system activity will help IT admins quickly respond to and contain the threat.

Enterprise cybersecurity issues are not limited just to its employees and internal systems, but also to its third-party vendors. On average, a typical enterprise organization has around 5,800 third-party vendors. Each vendor that does not employ basic security controls can weaken your overall cybersecurity.

More than half of enterprise organizations have experienced a third-party data breach. The average costs of third-party data breaches are higher, increasing from $4.24 million per breach to $4.33 million per breach event.

Industry requirements and standards for file encryption

While file-level encryption is a good practice for overall data security, it may also be a requirement for your organization’s compliance with certain regulatory provisions.

Multiple industry and governmental regulations exist that specify how your data—including personally identifiable information (PII), protected health information (PHI), financial records, and other critical information—must be managed and protected.

Financial services industry requirements

The financial services industry is heavily regulated because of the high volume of sensitive customer information it collects. In fact, the financial sector is second only to healthcare when it comes to being targeted by malicious cyberactivity.

Applicable regulations include the following:

  • Gramm-Leach-Bliley Act (GLBA). The GLBA requires encryption of customer information both at rest and in transit on external networks. This applies to all financial institutions, which includes companies that provide financial products or services.

  • Federal Financial Institutions Examination Council (FFIEC). FFIEC guidelines require encryption of data at rest when the company’s risk assessment indicates that encryption is necessary.

  • Payment Card Industry Data Security Standard (PCI DSS). PCI DSS identifies compliance requirements for any organization that handles cardholder data, including data encryption.

Healthcare Industry Requirements

Healthcare is a heavily regulated industry to ensure the protection of patients’ health and safety. To safeguard protected health information (PHI) against unauthorized disclosure, the Health Insurance Portability and Accountability Act (HIPAA) contains the following provisions:

  • Any company that transmits PHI is subject to HIPAA requirements. This includes, but is not limited to, health plans, healthcare clearing houses, healthcare providers, and their associated business entities.

  • Document policies related to how you prevent HIPAA violations through the implementation of physical, technical, and administrative security measures.

  • Conduct self-audits and risk assessments to identify potential data vulnerabilities.

  • Encrypt PHI to NIST standards whether the data is at rest, in transit, or in use.

  • Encrypt data that is transmitted over an external network or stored off-site.

  • Implement access controls and user authentication when accessing, storing, and transmitting PHI using mobile devices.

Government Industry Requirements

Defense, military, and government industry regulations protect personal and sensitive information.

The US Federal Government requires non-miliary government agencies and government contractors to adhere to the Federal Information Processing Standards (FIPS):

The Federal Information Security Modernization Act (FISMA) compels federal agencies to implement information security practices that reduce the risk of unauthorized access and use of sensitive information:

  • Data systems must be encrypted to prevent the exploitation of potential vulnerabilities.

  • Federal organizations and government contractors identify implemented security policies in a system security plan.

  • Information systems and data are classified according to a range of risk levels.

  • Password keys must be changed regularly for data security.

WinZip Enterprise enables enterprise file encryption

Enterprise-level organizations manage large data volumes across multiple storage repositories. WinZip® Enterprise is a powerful, customizable solution that helps you protect critical data against loss and compromise.

Offering a complete set of enterprise-grade tools, WinZip Enterprise is completely customizable. With centralized IT control, it’s easy to customize the user experience, remove unnecessary features, and set and enforce security policies across the organization.

WinZip Enterprise encrypts files using the Advanced Encryption Standard (AES) format, which is the standard used by governmental bodies to protect classified and sensitive information. In fact, it is the most commonly used encryption protocol for data protection. AES encryption is FIPS 140-2 compliant, making it a valuable tool for industries subject to data security regulations.

Learn how WinZip Enterprise simplifies file encryption for enterprise organizations.

Learn more about WinZip Enterprise today!

Get a Quote

Connect With Us