Over here in the UK there has been a lot in the paper recently about the data losses by some of the key government agencies such as HMRC as well as businesses such as Skipton Building Society much of which was not encrypted data. As you will know there has been much public outcry and quite rightly so but do we have any room to talk?
The fact is that almost every business today owns at least 1 notebook computer and typically that will be taken out to meet clients, to work from home etc. On that notebook there will typically be a great deal of data regarding either your own business or possible about your clients data so do you encrypt your data? The answer is almost certainly no, so how on earth can we complain when other organisations do they same. While I understand that these organisations should know better as they have much larger funding budgets to get people onboard that should be telling them this but the fact of the matter is that very few businesses do this themselves. Recent figures show that the public is 80% more cautious with their personal data than before the HMRC data loss which is a positive move for security. You may think that the data on your notebook is of no value to anyone else but lets just assume for one minute that you loose your notebook and you have the following on it:
- On it is the payroll figures as you needed to work on them tonight
- You also have the sales figures for your clients
- Details of a new proposal for a potential client
- Documentation regarding a client(s) site, not including passwords
So what is the value of this to anyone else:
- The payroll data would be invaluable to a headhunter for example. If you had a member of staff who had some very coveted knowledge then they would be able to know where to start with pay offers
- If the payroll figures included home addresses of employees then this would also be of interest to criminals for identity theft.
- Sales figures would be of great interest to your competition as they would be able to ascertain the financial value not only of your own company month in month out but also the value of each of you clients each month.
- Details of a new proposal would again be of interest to your competition as they would then know what you are proposing but more importantly what you are planning to change for this fantastic service. If this proposal is for an IT system this may also be of use to a potential hacker as it may provide information regarding internal systems or security information.
- Documentation regarding a clients site would almost certainly hold value to a potential intruder if it was technology documentation as it would provide valuable insight into what internal systems they had. If it related to equipment such as phones, plant machinery then again it would have value to competitors or companies in that field.
The fact of the matter is that whatever data you have it will be of use to someone and simply putting a password on Windows is just not going to cut it. By simply booting of a CD such as UBCD4WIN you don’t even need to crack the password for Windows, it will let you access the data on the hard disk and transfer it off and with the price of notebooks so low now (from £299) the data is often worth many times the value of the notebook.
So what can you really do to stop this? Well quite simply encrypt the data, this can be done a number of ways.
- You can use Windows XP EFS (Encrypting File Service) to encrypt data and lock it to the individual user account. This means that should anyone who is not logged in with the user account that encrypted the files then they will not be able to access the data.
- There is also Bitlocker Drive Encryption which available to Windows Vista (Enterprise and Ultimate) and Windows 2008 server. This system uses full disk encryption to encrypt and entire volume rather than individual files. It requires an area of the disk to be created as a Bitlocker volume.
- There are also a host of third party application which will either encrypt individual files or create PSD’s (Personal Secure Drive) which is essentially a encrypted file on your hard disk that is mounted up as a volume (Drive letter) so that you can save your files. While it is mounted it is unsecured but once it is dismounted or the system is shut down it becomes encrypted again.
One such package that I have found to be a very good product for this particular task is TrueCrypt, it’s an open source package for on-the-fly encryption. While you can encrypt the entire drive you can also create encrypted volumes which can be mounted up as disks on your system by using a password. I personally like this method as it allows me to create a volume to store all of my “data” in rather than being mixed up with the rest of the system.
There are a great many package which do the same or similar and they are all equally able to secure your data whether using a password, keyfile or a hardware USB key combines with passwords etc. Some are certified for government users while others are not but in the end it is personal choice however whatever the case it is something that should definitely be looked at.
For more information on using TrueCrypt then please read Better safe than sorry (Part 2)