Encrypting Business Data: A Plain-English Guide

Every year, thousands of laptops are lost or stolen in Australia. Phones are left in taxis. USB drives fall out of pockets. In most cases, the physical device can be replaced relatively cheaply. But if that device contains unencrypted business data — customer records, financial information, staff details — the consequences can be severe: a mandatory data breach notification, significant reputational damage, and real harm to the people whose data was exposed. Encryption is the control that makes a lost device a minor inconvenience rather than a major incident.

What Is Encryption, Really?

Encryption is the process of scrambling data so that it's unreadable to anyone who doesn't have the correct key (usually a password or a cryptographic key stored on an authorised device). When encryption is working properly, even if someone physically has your hard drive or your phone, they see nothing but meaningless gibberish unless they can provide the correct credentials to decrypt it.

Think of it like a very sophisticated combination lock on every piece of data on your device. Someone can steal the box, but without the combination, they can't get to what's inside.

It's worth being clear about what encryption does and doesn't do. Encryption protects data at rest — when it's sitting on a device that's switched off or locked. It generally does not protect data in use — if someone is logged into your device and actively accessing files, or if malware is running with your credentials, encryption doesn't help. That's why encryption is one layer of protection, not a complete solution on its own.

Why Encryption Matters for Australian Businesses

The ACSC's Essential Eight framework includes encryption of storage devices as a key recommended control. But beyond best practice, encryption has direct legal relevance under Australian privacy law.

Under the Notifiable Data Breaches (NDB) scheme, a data breach only triggers mandatory notification if it's likely to result in serious harm to affected individuals. If a device containing customer data is lost but the data was encrypted and there's no reason to believe the encryption has been compromised, it's much less likely that the incident constitutes an "eligible data breach" requiring notification to the OAIC. Encryption can literally be the difference between a reportable breach and a non-event.

The OAIC has confirmed this in guidance: encryption of personal information is a key "reasonable step" under Australian Privacy Principle 11 for protecting personal information from misuse or unauthorised access.

How to Encrypt Your Devices

The good news is that modern operating systems have strong encryption built in — you just need to turn it on. Here's how to do it on the most common business platforms:

Windows Computers

Windows includes a built-in encryption tool called BitLocker, available on Windows Pro, Enterprise, and Education editions. To enable it:

1. Search for "BitLocker" in the Start menu
2. Select "Manage BitLocker"
3. Click "Turn on BitLocker" for your system drive (usually C:)
4. Follow the prompts to choose how to unlock the drive and where to save your recovery key
5. Important: Store the recovery key somewhere safe that is not on the same device — a printed copy kept securely, or saved to a Microsoft account

If you're on Windows Home, BitLocker isn't available, but "Device Encryption" may be — check in Settings under Privacy & Security. Alternatively, a free third-party tool called VeraCrypt provides strong encryption for Windows Home users.

Mac Computers

Macs use a built-in encryption system called FileVault. To enable it:

1. Open System Settings (or System Preferences on older Macs)
2. Navigate to Privacy & Security
3. Scroll to FileVault and click "Turn On"
4. Choose whether to use your iCloud account or a local recovery key to unlock the drive, and store the key securely

Note: On Macs with Apple Silicon (M1 and later chips), data encryption is enabled by default and hardware-enforced. If you have a recent Mac, you're likely already protected — but enabling FileVault adds an additional layer of protection for the recovery key.

iPhones and iPads

iOS devices encrypt data by default as soon as you set a passcode. Make sure all business iPhones and iPads have a passcode (or Face ID / Touch ID) enabled, and make sure the passcode is strong (at minimum six digits; an alphanumeric passcode is stronger). This is all you need to do.

Android Devices

Most modern Android devices (Android 6.0 and later) encrypt data by default. To verify, go to Settings > Security and look for "Encryption" or "Encrypt phone." If your device isn't encrypted, follow the prompts to enable it. As with iOS, ensure a strong screen lock is set — encryption is only as useful as the lock protecting access to the device.

Encrypting Specific Files and Folders

Sometimes you want to encrypt specific sensitive files rather than (or in addition to) whole-device encryption. Options include:

• Microsoft Office: Word, Excel, and other Office files can be password-protected (File > Info > Protect Document). This uses AES encryption when a password is set.
• PDF files: Adobe Acrobat and many free PDF tools allow you to encrypt and password-protect PDFs before sharing.
• 7-Zip: This free archiving tool can create AES-256 encrypted zip archives — useful for protecting files before sending them via email.
• VeraCrypt: For creating encrypted containers or encrypted volumes on any drive — excellent for USB drives containing sensitive data.

Encrypting USB Drives and External Storage

USB drives are a major risk — they're easy to lose and often contain sensitive files. Never store sensitive business data on an unencrypted USB drive. Options include:

• BitLocker to Go (Windows): Right-click a USB drive in File Explorer and select "Turn on BitLocker"
• VeraCrypt: Create an encrypted container on the drive
• Hardware-encrypted USB drives: Available from vendors like Kingston or Apricorn — these have encryption built into the device hardware and are very convenient for regular use

For most small businesses, the simplest rule is: if it's sensitive, it doesn't go on a USB drive. Use secure cloud storage instead.

What Encryption Doesn't Protect You From

It's worth being clear about the limits of encryption so you're not over-relying on it:

• It doesn't protect against someone who is already logged into your device
• It doesn't stop malware that runs with your account's permissions
• It doesn't protect data that's been exfiltrated to an attacker's server
• It doesn't protect data stored in unencrypted cloud services

Encryption is a critical layer of your security, but it needs to work alongside strong passwords, MFA, regular updates, and good security practices.

Key Takeaways

• Encryption scrambles data so it's unreadable without the correct credentials — protecting you if a device is lost or stolen.
• Under the Notifiable Data Breaches scheme, encrypting devices can mean a lost device does not constitute an eligible (notifiable) data breach.
• Windows: enable BitLocker. Mac: enable FileVault. iOS: set a passcode. Android: verify encryption is enabled.
• Never store sensitive data on an unencrypted USB drive — use BitLocker to Go, VeraCrypt, or a hardware-encrypted drive.
• Store recovery keys securely but separately from the device they protect.
• Encryption is one layer — it works alongside, not instead of, strong passwords, MFA, and other security controls.

Want to know whether your business devices and data are adequately protected? The free assessment at flagged.com.au covers encryption and a range of other key security controls, and gives you a personalised action plan to address any gaps.