Does UK Law Require Encryption of Business Information? My
understanding is that sensitive personal information on laptops,
and portable backup disks should be encrypted. There is no legal requirement to encrypt data stored securely on
desktop machines. Use Google to
search for precise information.
However, if a computer is stolen, and the information it contains
mis-used, your reputation may be seriously damaged. You (or your customers) may
become the victim of identity theft.
If the computer is stolen, even if nothing happens, there is the
serious stress created by wondering if the information will be
misused! If you're on holiday, the thief may now know where
you live.
Perhaps encryption seems like a lot of work, when the risk of
disaster is so small. But if the worst happens, it will take
weeks to undo the damage. Every day my staff spend a couple of
hours putting stock in and out of the safe. And that time is
essential to keep my business secure. Because we do it we
haven't had an attempted break-in in years. Encryption is
just as essential for keeping your business and personal data
secure.
I lack the expertise to make a final judgement as to whether any
system will stand up to a determined attack. I have no idea where
to turn to gain expert advice. However I have not heard any
criticism of the systems I'm recommending here, apart from
the points against them that I raise.
I refer repeatedly to passwords. I will discuss how to generate a strong password later. But for security, the ideal password should be approximately 64 characters long. If entered from the keyboard, 20 characters is the minimum for reasonable security. That is why I finally chose Truecrypt for my laptop, because you can store the password on a usb stick, easier and more reliable than entering it on a keyboard. Also the laptop I really wanted did not include Microsoft Windows encryption.
You'll need a different password from the one which you use to log on. Gives quite a high level of protection. However a Google search revealed a number of companies who will recover the password - at a price. Note this is not an encryption system, but the results are comparable. However it does always require that you enter 2 passwords when starting the computer. If you're going to that amount of effort I feel that a third-party encryption system may be more secure.
As built into Windows XP Pro, Vista Business and
Ultimate, and Windows 7.
Very simple to set up and use. Believed to be
very secure. Seems to have very little effect on the computer
speed. Completely transparent to the user. Unfortunately the key
is the password you use to log on to Windows (which is probably not long enough to be totally secure). Encrypted files cannot be shared across the network nor with other users of the
same computer. Folder and file names can be viewed by users who
do not have access rights.
If you choose this option, ensure you have a very strong
password, about 20 characters long. Encrypt all document and
picture folders, and ensure Outlook .pst files are encrypted,
they are not in the documents folder.
I finally selected TrueCrypt and will describe
its setup later. Many other systems are available, however
TrueCrypt seemed ideal for my purposes. TrueCrypt is sold as
freeware, I do hope that business users will make some donation
for such a useful utility.
Benefits. Passwords can be very strong because Truecrypt can use a file on a usb stick, making
it impossible for anybody to access files. Folder and file names
are hidden until the password is entered.
Warning: Loss of the password would be a disaster (obviously). Good backup strategy
is essential. As with all security, it's essential that a business can recover without too much inconvenience to customers.
I use Winzip. Encrypt the backup with its built-in encryption system (selecting the strongest option AES 256). The password can be stored on the same computer as the files you are encrypting onto a portable medium, but never store the password on the same backup medium as the backup file. However ensure you have a separate copy of the password not on the computer. Without that you would never be able to restore your lost files if the original computer is destroyed.
Employee dishonesty. Once the computer is
switched on, files can be accessed by staff, although Windows
encryption does offer some protection.
Robbery with violence. If somebody demands with
threats your passwords, encryption really won't help. Actually TrueCrypt does have a system to hide the encrypted file
in a folder alongside encrypted but meaningless files, which will
look as if they are the secure files at a quick glance. However
if threatened with violence I'm not certain that anybody (at
least the type of person who is reading this page) is going to stand
firm and not reveal the true passwords, nor the wisdom of
refusing to reveal the information under such threats.
An encrypted file will be written to the location you choose
on your hard disk. Its extension does not matter. So you can
disguise it as, say, a video. However I suspect that any hacker
with the expertise to crack TrueCrypt will be able to identify
the file quite quickly.
When you open TrueCrypt, you can then 'Mount' that file. It will then appear as a partition of your hard disc. Sosftware
can access it freely. Files can also be shared across the
network.
You can use a keyfile, stored on a USB memory stick (or
elsewhere). TrueCrypt will automatically write one for you, or
you can use any file like a JPEG provided it s more than 64
characters long. Do alter the properties of the keyfile to Read
Only. The file extension does not matter, so it can be used to
disguise the file. Be careful that you have a copy of the file
stored somewhere safely (very definitely not on the computer you
are protecting).
In addition, or as an alternative, you can enter a password on
the keyboard in the usual fashion.
If you can be certain that the computer and the USB stick will
never be carried by the same person, then the keyfile on its own
may well be adequate. I sometimes travel with my laptop on my
own, so I would be carrying both the laptop and a USB stick.
Therefore in my case I must also use a password for extra
security.
Useful help files are available online. The brief
information here does not duplicate their help, but adds to it. I'm only covering problems which took time to
resolve.
If you have decided to use a keyfile, when you first open
TrueCrypt click on the menu option keyfile to create a keyfile or
set a default keyfile location. Setting a default location speeds
up opening your encrypted folder (just insert the usb stick and
Truecrypt will know you're ready to open the encrypted file), but
could be helpful to a hacker. I normally leave it set, but might
delete the path if I am concerned about security - for example
travelling on my own with the laptop.
In Truecrypt terminology Mount means to open an encrypted file
and mount it to look like a partition on the disk.
While I'm not expert enough to give advice on encryption
I'd recommend AES256 as the minimum standard. If your
processor can handle it you might like to combine 2 encryption
systems. However I don't know how much such a step increases the level
of security.
On the main program window note the option to 'Never save
history.' It's ticked by default. Unticking it will save time
because you won't have to browse for the encrypted file each
time you want to open it, but could possibly be useful to speed
up a hacker's work. Again normally to save time and if I'm
certain the keyfile is separate from the computer, I leave this
option unticked, then opening the encrypted file is very
quick.
After preparing your encrypted partition, ensure Office programs
(as well as all the other programs you use) look in it when
opening files. Watch out for Outlook, which writes to its own
(hard to find) location. Ensure its .pst files are moved to the
encrypted location. I also think it's worthwhile to ensure
all pictures are encrypted; they may reveal clues about your
identity.
If, as is likely, your computer can go into hibernation, do ensure
that under Settings/Preferences >Dismount all
when:Entering power saving mode is selected; otherwise the password/s will be written to your hard disk.
Too often the only protection a password will give is that the
hacker is likely to die laughing as he cracks it!
If your password is a name or in the dictionary, it's
useless. Of course that's the first thing they'll test
for (software makes the task quick and easy). Even fiendish
ideas like passw0rd (replacing the O with zero) are so well
known as to be useless.
A password must look like a random sequence. The only way of
cracking this type of passwords is by brute force, testing every
possible combination of characters. The longer the password the
more possible options. A computer can test many millions of
possibilites each second, so a password must be long to offer any
protection. Any password, given enough time, can be cracked. However (using today's computers) the universe will end
before a 64 character password is cracked! Check other resources
for a guide on how long it takes to recover a lost password, and
you will see how much faster a dictionary word can be
recovered.
TrueCrypt advise it should be 20 characters or longer, which
should be suitable for several years if computer speed increases
at its current rate. That's one reason I use a keyfile (which
is 64 characters long) as well as a password entered on the keyboard to open my Truecrypt file. Unless the keyfile is stolen with the
computer I can be confident my files are still secure. But this extra
password entered from the keyboard will make life that bit harder for the hacker,
even if they have the keyfile. Do note that as computer
processing power increases, passwords will have to become even
longer to remain secure.
So how can we hope to remember a complex password. Here's an example I prepared earlier. It's not hard to
remember. Note it's not as long as it necessary for total
security, it's just an example.
This is the password: THriS05^11#smotPp
Let's see how it works. Take the expression The rain in Spain
stays mainly on the Plain. Use the initial letters, retaining
uppercase as shown and we get TriSsmotP. A random password is hard
to crack and can be only attacked by brute force (i.e. testing of
all possible combinations). Each letter in this password could be
one of 52 (upper or lower case letters of the alphabet).
Now we'll add a date so that the poor hacker has to test for
numbers as well (now 62 possibilities for each character), I
chose Guy Fawkes night (05/11)! And inserted it after the S of
Spain. This gives us TriS05/11smotP.
Now we add some non-alpha numeric characters and change the
separator in the date. There are an awful lot of these characters
on your keyboard so now we are making life really hard for a
hacker. You'll have to remember them but it is not that
difficult - all my staff have to do this. We now have
TriS05^11#smotP To make life simple (!) I inserted the carat
character as a break in the date and the hash at the end of the
date.
To make matters worse, we must use a different password for every location, either a file, our Windows password, or a website. Otherwise if a site is hacked (and it does happen) all the passwords are compromised. Identify a name (file name, computer user name, or website) for each location we need to password protect. So let's add extra characters using Google as an example. Take the first 2 letters 'Go,' take the next letter of the alphabet for each and it becomes 'Hp.'
After the first T we enter the capital G, and the last character is the second, p.
It may look complicated, but after entering a few times, it is
easy to remember.
This is just an example, you'll have to use your own phrase, date etc. Otherwise if a hacker is reading this, he'll know how to crack your passwords!
I am a jeweller, not a software expert. If you are protecting
really sensitive data you should seek expert advice. Do not rely
on the information given here.
All information on this page is correct to the best of my
knowledge and belief. However I cannot accept any responsibility
for errors. You are strongly advised to cross check advice here
before making any decisions. You alone are responsible for any
decisions you make based on the guidance here. Seek expert advice
before making decisions, I am not an expert.
But if an 'expert' starts telling you that I've
over-stated the need for security, be wary. Google searches will
show how many businesses sell software to reveal passwords. Do
not under-estimate the need for precautions.