Encrypting Data at Rest and in Transit in a Practical Way for an Irish SME.

When a laptop belonging to a solicitor in a Letterkenny firm was stolen from a car in a car park in 2024, the Data Protection Commission was notified. The commission asked one specific question first: was the hard drive encrypted? The answer was yes — the firm had enabled BitLocker on all laptops as part of a security review 18 months earlier. The DPC closed the investigation without further action.

In an identical incident at a different firm the same year — same theft, same type of data on the device, same car park scenario — the answer to the same question was no. That investigation continued.

Encryption converts a lost or stolen device from a data breach into a recoverable operational inconvenience.

What Encryption Actually Does

Encryption transforms data into a form that is unreadable without the correct key. A laptop with an encrypted hard drive, stolen and powered off, contains data that is mathematically inaccessible to anyone without the decryption key — which is typically derived from the user's login credentials. The thief who removes the drive and attempts to read it directly finds nothing useful.

Encryption does not protect against attacks on a running, logged-in system — it protects against physical access to the storage medium after it is powered off or when the user is not authenticated.

What Is Probably Already Encrypted

For Irish SMEs using modern platforms, significant encryption is already in place by default.

Microsoft 365 and Google Workspace encrypt data at rest in their cloud infrastructure and in transit between your devices and their services. You do not need to configure this — it is the default state of both platforms.

Modern smartphones — both iOS and Android — enable storage encryption by default when a PIN or biometric lock is configured. A PIN-protected iPhone or Android device is encrypted. An unprotected device is not.

Most modern cloud services — cloud accounting platforms, CRM systems, cloud backup services — provide encryption at rest and in transit as a baseline.

What Typically Needs Attention

Laptop and desktop hard drive encryption. Windows devices support BitLocker, which encrypts the entire hard drive. On Windows 10 and 11 Professional and Enterprise, BitLocker can be centrally managed through Microsoft Intune or Group Policy. On Windows 11 Home, Device Encryption may be available but requires specific hardware. macOS supports FileVault, which provides equivalent protection.

For most Irish SMEs, the gap is not that encryption is unavailable — it is that it has not been enabled on existing devices. A company with twenty laptops, some of which predate the IT provider's current management scope, may have a mixed state where some are encrypted and some are not.

Ask your IT provider for a BitLocker compliance report. The report will show which devices are encrypted and which are not. Close the gap.

USB drives and portable storage. External hard drives and USB drives used to store or transfer business data are frequently unencrypted. An encrypted USB drive — Kingston IronKey or similar — requires a PIN before data can be accessed, protecting the contents if the drive is lost.

Where possible, the preferred approach is to eliminate the need for USB drives entirely by using managed cloud storage for data transfer. Where USB drives are genuinely necessary, use encrypted hardware.

Email with sensitive attachments. Standard email is not encrypted at rest in most environments — it is encrypted in transit (via TLS) but sits in the mailbox in plaintext. For particularly sensitive documents — client medical records, legal files, financial statements — consider encrypted email or the SharePoint/OneDrive link approach described in the file sharing post, which provides access control rather than relying on mailbox security.

Do you know the encryption status of every laptop in your business? Ask your IT provider for a BitLocker report. The answer may be mixed — and the unencrypted devices represent a specific, quantifiable risk. Book a free 20-minute strategy call — encryption configuration review is a standard part of our SME security assessments.

The GDPR and Regulatory Context

The Data Protection Commission specifically considers encryption when investigating data breaches involving lost or stolen devices. Article 32 of GDPR lists encryption as an example of an appropriate technical measure for protecting personal data [^1]. While GDPR does not mandate encryption in all circumstances, a business that cannot demonstrate it took reasonable steps — of which encryption is the most obvious for device security — has a weaker position in a DPC investigation.

The NCSC Ireland's guidance on protecting sensitive data specifically recommends encryption at rest for devices holding personal data.

What Next

1. Request a BitLocker compliance report from your IT provider this week. Which devices are encrypted? Which are not? The unencrypted devices are your action list.

2. Enable BitLocker on all laptops that access business data. For Microsoft 365 Business Premium customers, this can be managed and enforced through Intune.

3. Replace any plain USB drives used for business data transfer with encrypted hardware alternatives — or better, stop using USB drives for this purpose entirely and use SharePoint sharing links instead.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call at www.pragmaticsecurity.ie/book-a-call.

Related Reading

• Data Classification: Deciding What Is Public, Internal, Confidential or Sensitive
• Safe File Sharing With Customers and Partners
• Securing Mobile Devices: Phones and Tablets as a Major Entry Point

[^1]: Data Protection Commission Ireland — GDPR Article 32 [^2]: NCSC Ireland — Encryption Guidance [^3]: An Garda Síochána — National Cyber Crime Bureau

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.