by Heath Gieson
As we continue our weekly journey through the CIS IG1 controls, each safeguard builds on the operational foundations we’ve been establishing from the very beginning of this series. Our early controls focused on visibility—knowing what assets exist, which ones belong in your environment, and how to keep them accounted for. That foundation isn’t just theoretical; it’s what makes the next set of controls actually work in real‑world operations.
Today, we shift deeper into protecting the data living on those assets. Control 3.6—encrypting data on end‑user devices—may seem straightforward at first glance, but like every safeguard in IG1, its strength lies in how well it’s operationalized. Encryption isn’t just flipping a setting; it’s part of a larger, repeatable process that keeps your organization resilient. And as our editorial plan continues rolling through all 56 IG1 controls, this one plays a critical role in strengthening the confidentiality pillar of your cyber hygiene baseline.
Why Encryption Matters (Beyond the Obvious)
1. Protection Against Physical Loss and Theft
A missing laptop or stolen phone shouldn’t escalate into a data breach. Whole‑disk encryption ensures attackers get hardware—nothing more.
2. Defense Against Unauthorized Access
Temporary or unauthorized access to a device shouldn’t ever lead to data exposure. Encryption ensures that even when someone gains physical access, the data remains inaccessible.
3. Resilience Against OS‑Level and Firmware‑Level Attacks
Attackers frequently attempt offline methods—alternate boot environments, direct disk access, or firmware tampering. Encryption cripples those attempts.
4. A Safety Net for Improper Decommissioning
Many organizations have aging, forgotten, or improperly wiped devices. Proper encryption dramatically reduces associated risk.
5. Compliance and Customer Expectations
Your clients expect their data—and yours—to be encrypted everywhere it lives, including endpoints.
What Devices Need to Be Encrypted? (Hint: All of Them)
As earlier controls made clear, if it stores or processes data, it must appear in your asset inventory—and that means it must be protected.
That includes:
- Laptops & desktops (BitLocker®, FileVault®, Linux® dm‑crypt)
- Mobile phones
- Tablets
- OT devices (if capable)
- IoT devices storing credentials, logs, or configs
- POS systems, scanners, and other specialized endpoints
Shadow devices—whether employee‑owned or forgotten operational equipment—are still endpoints, still store data, and still require protection.
Managing Data on Non‑Company‑Owned Devices (BYOD)
To support personal devices securely, encryption cannot be the entire story. This is where Mobile Application Management (MAM) comes in. Using Microsoft Intune, you can:
- Enforce encryption for corporate data only
- Separate personal data from corporate
- Selectively wipe enterprise data without touching personal content
- Require endpoint protections like PIN, biometrics, or compliant OS versions
- Restrict copy/paste, screenshots, and unapproved app usage
This approach enables BYOD without legal, cultural, or privacy friction.
Encryption Is Only as Good as Its Key Management
The often‑ignored part of encryption is the operational reality that keys—not software—determine whether encryption actually protects anything.
Best Practices for Key Management
- Centralize key escrow using Intune, AD, or your MDM/MAM platform
- Apply strict RBAC & auditing for key access
- Automate key rotation & device enrollment escrow
- Balance accessibility with security, preventing social engineering risks
- Integrate recovery keys into your asset inventory process, aligning with earlier controls
If the keys are unprotected, untracked, or inaccessible, the encryption might as well not exist at all.
Operationalizing Encryption (the Right Way)
Consistent with the themes of your IG1 series—consistency, effectiveness, and efficiency form the foundation of a repeatable process.
Your operational workflow should:
- Require encryption for all devices storing or processing sensitive data
- Automate enforcement through endpoint management tools
- Verify encryption status during onboarding, throughout the lifecycle, and at decommissioning
- Store recovery keys centrally in secure, auditable systems
- Extend security to BYOD using MAM/Intune
- Document these processes and apply them consistently across all teams
Device encryption is one of those safeguards that delivers enormous value for surprisingly little effort—when managed correctly. As we’ve seen throughout the IG1 series, security isn’t about throwing technology at a problem; it’s about putting operational processes in place to make that technology effective, consistent, and sustainable. That’s the heartbeat of our entire editorial effort and the direction defined in the IG1 content roadmap.
Heath Gieson is the Chief Information Security Officer at Forthright Technology Partners, leading security and compliance strategy for the organization and its clients. With a background that began in Political Science and Journalism, he transitioned into IT, rising from tech support to executive leadership and founding a systems integration firm focused on embedding security into everyday IT practices. Known for simplifying complex systems and communicating with clarity, Heath is a dedicated leader, lifelong learner, husband, father, and musician who enjoys solving challenges in every area of life.
