Encryption is one of those security controls that everyone thinks they have handled. Most companies are half right.

They encrypt their website traffic. They check the "enable encryption" box in their cloud provider. And they assume the job is done. It is not. Encryption has six checkpoints, and the ones that get skipped are the ones that cause breaches, compliance findings, and breach notification obligations.

Here is the complete checklist. Six places encryption must exist. Check each one this week.

Data in transit: external connections

This is data moving between your systems and the outside world. The standard is TLS 1.2 or higher for all external connections. Go to ssllabs.com/ssltest and enter your domain. It will grade your configuration from A to F. If you are below an A, the report tells you exactly what to fix: outdated cipher suites, protocol versions, certificate chain issues.

Most companies pass this one because modern web frameworks enforce TLS by default. But check your API endpoints separately. Your website might have an A rating while your API is serving data over an outdated protocol because nobody tested it independently.

Data in transit: internal connections

This is where most companies fail. External traffic is encrypted. Internal service-to-service communication is not. Your web server talks to your application server which talks to your database. If that traffic is unencrypted, an attacker who gains access to your internal network can intercept it.

The assumption is that internal traffic is safe because it is "inside the perimeter." That assumption ignores every lateral movement attack in the last decade. Once an attacker is inside your network, unencrypted internal traffic is an open book.

Check whether your internal services communicate over TLS. Check whether your database connections require encrypted transport. Check whether your microservices use mutual TLS (mTLS) for service-to-service authentication.

Data at rest: databases and storage

This is data sitting in your databases, file storage, and object storage (S3 buckets, Azure Blob, GCP Cloud Storage). Most major cloud providers offer encryption at rest by default, but "default" does not mean "enabled." It means "available if you turn it on."

Log into your cloud console. Check every database instance. Check every storage bucket. Verify that encryption is enabled and that the encryption keys are managed through a proper key management service, not hardcoded in configuration files.

A common gap: the production database is encrypted, but the staging or development database is not. If your staging environment contains copies of real customer data (which it should not, but often does), that unencrypted staging database is a breach waiting to happen.

Data at rest: backups

Your production database is encrypted. Are your backups? Backups are frequently stored in separate systems, separate accounts, or separate regions. Each backup location needs its own encryption verification.

A backup that contains your entire customer database in unencrypted form is not a backup strategy. It is a liability stored in a location with weaker access controls than your production environment.

Check your backup encryption. Check your backup access controls. If someone compromises your backup storage, can they read the data? If the answer is yes, fix it this week.

Data on endpoints: laptops, phones, and tablets

Every company-managed device should have full disk encryption enabled. On Mac, this is FileVault. On Windows, this is BitLocker. On mobile devices, this is typically enabled by default on modern iOS and Android devices, but verify through your MDM (mobile device management) platform.

Full disk encryption means that if a laptop is stolen, lost, or decommissioned without being wiped, the data on the drive is unreadable without the encryption key. Without it, a stolen laptop is an instant data breach.

Check your MDM console or endpoint management tool. Pull a report of all managed devices. Verify that 100% have full disk encryption enabled. If any do not, remediate immediately. This is one of the easiest compliance wins and one of the most common audit findings when it is missing.

Data in email and file sharing

This is the checkpoint that almost everyone misses. Your team sends sensitive documents via email every day. Those attachments sit in multiple mailboxes, in sent folders, in archives, on mail servers, and in the recipient's environment. None of that is encrypted at the document level.

Solutions range from simple (enable Microsoft 365 message encryption or Google Workspace confidential mode) to comprehensive (deploy Microsoft Purview Information Protection labels that encrypt documents automatically based on sensitivity classification).

The minimum viable approach: identify the types of documents that contain sensitive data (financial reports, customer lists, employee records, contracts with PII) and implement a policy for how those specific document types are shared. Encrypted email, secure file sharing links with expiration dates, or an enterprise file sharing platform with access controls.

Why this matters beyond security

In most regulatory frameworks, encrypted data that is compromised does not trigger breach notification requirements. Unencrypted data does. That distinction alone can mean the difference between a contained security incident and a public breach notification that costs your company millions in remediation, legal fees, and reputation damage.

SOC 2 requires encryption controls. ISO 27001 Annex A.8.24 specifically addresses encryption. HIPAA requires encryption of PHI at rest and in transit. PCI DSS requires encryption of cardholder data.

Run the checklist this week: external traffic, internal traffic, databases, storage, backups, endpoints, and email. Six checkpoints. The ones you skip are the ones that create compliance findings, breach notification obligations, and attack vectors that did not need to exist.

If you found gaps doing this exercise, that is actually good news. You found them before an auditor or an attacker did.

Ready to close the gaps?

Encryption gaps are one of the most common findings in our assessments. We identify and close them as part of every engagement. Risk assessment, remediation, and certification in 90 days. 100% first-attempt audit pass rate.

‍