| |
Every 12 seconds, somewhere in the world, a personal computer is lost or
stolen, with most containing confidential or sensitive information.
Over the past year there have been numerous high-profile news stories of laptops containing sensitive data becoming lost or
stolen. The Privacy Rights Clearinghouse identifies hundreds, if not
thousands, of domestic incidents that have taken place where personal information
has been compromised. This compilation is just the tip of the iceberg since
it does not include incidents outside of the United States.
However, PCs aren't the only vulnerable devices that may contain
confidential information. For instance, in June 2007, a backup storage device
with
the names and Social Security numbers of more than 500,000 Ohio state
workers, plus an additional 500,000 taxpayers, was stolen out of a state intern's car,
putting one million people at risk.
Virtually all mobile devices and removable media could potentially expose a
firm to embarrassment and even serious security breaches if they fall into
the wrong hands. Private investment firms should devote more attention to
protecting the information located on:
-
USB devices – including USB memory sticks, thumb drives, iPods or other
MP3 players
-
Removable Media – CDs, DVDs, floppy disks and external/portable hard drives
-
Wireless devices – such as Blackberries, Treos, personal digital assistants
(PDAs), etc.
You should also know that information can be copied or stolen from a
computer without the alarm caused by vanishing hardware. For example, a
hacker no longer needs to have a laptop available to compromise a network. A
USB flash drive or MP3 player can be plugged into a PC and used to steal
large quantities of information rapidly.
The demands of today's mobile workplace make laptop computers, PDAs, flash
drives, and other devices a requirement for many. It is completely
inconceivable for a partner to travel to visit with a limited partner or portfolio company
without taking a laptop packed with data so that any question could be
answered quickly. Remote access via the Internet to your office network is
an important productivity component for your team. And, of course, email
with documents and other data files attached leaves the office regularly.
Therefore, when talking about mobile security, we need to focus on making
your staff aware of the risks of losing important information and suggest
policies that can be easily adopted to secure confidential information. There is
also a need for all firms to develop and implement computer use policies that
balance the need for security with the need of users so that they can
accomplish tasks effectively and efficiently without creating an undue
administrative burden.
Individual
Documents and Files
Documents are the lifeblood of an alternative investment
firm. Your team's ability
to preserve that confidentiality is made more difficult when documents are
accessible across a firm network or shared electronically with partners,
limited partners, associates, and other parties via email and extranets.
There are two ways to protect access to sensitive documents and the
confidential information contained in them: authentication and encryption.
Authentication is a common term for limiting access to electronic documents
only to those persons that you want to have access. Password authentication, most common form of authentication,
is very easy to establish on a
document, folder, or an entire computer. All firm computers should require
at least one password to log onto the computer. Additionally, individual
documents containing sensitive information that is shared electronically can
be individually password protected.
A relatively insecure, or "soft," password may have some positive benefits.
A firm could adopt a universal password that is implemented on all documents
to be taken outside the organization in any way, including by email
attachment. This password could be communicated to partners, associates,
limited partners, and portfolio companies via postal mail or telephone.
Although the widespread knowledge of this password would limit its
effectiveness, it would be highly effective in protecting "lost" documents
transmitted by a misaddressed email, a lost CD-ROM, or a lost USB flash
drive.
It is relatively simple to add password protection to documents and
spreadsheets. In MS Word 2003, document security features can be found under
"Tools" and "Protect Document". In MS Excel 2003, the security settings are
located under “Tools” and “Protection.”
Another way to protect documents from unwanted changes or exposure is to
consider saving your Word or Excel file in Portable Document Format (PDF).
Using this format, a firm can "lock down" documents, disallowing printing,
copying, editing, commenting, or even opening the document.
By "locking down" PDF files, your firm can make sure that the document is
used in the way that it was intended, without exposing it to alteration or
copying. Printing your files to PDF is a more secure way to send documents
to limited partners, portfolio companies, and other parties and know they
cannot be altered.
Document encryption is
the preferred solution, rather than password protection, when it comes to
critically sensitive information. Long used by the
government and military, encryption is a process that obscures data or
information in order to make it unreadable without the use of special
software or the knowledge to decrypt it.
To encrypt digital information, the document, folder, or data file is run
through a software application to obscure the information. There are various
levels of obscuring, generally stated in "bits;" the higher the bits, the
harder to decrypt the information. Currently 128-bit encryption is the common
standard, but super-sensitive documents will have higher levels. The way to
de-encrypt the information is with a "key." The key is often a pass code or
another software program tied to the original encryption software.
The obvious danger in using document encryption is that the loss of the key
effectively "loses" the document.
CD
ROMs, DVDs and Floppy Disk Drives
Although the
entire contents of a CD-ROM, DVD, and floppy disk can be
either encrypted or password protected, it generally
makes more sense to encrypt or password protect the
individual document or file.
USB
Flash Drives
Becoming
increasingly popular, a USB flash drive is a small
removable data storage device that is as small as a
matchbook or pen, but can hold thousands of
documents, hundreds of photos, songs, or PowerPoint
presentations. It plugs directly into the USB port on
any other computer for access to any documents and other
files previously transferred to the device.
Although these devices are very convenient, two major
security issues emerge: 1) They are easily misplaced,
and 2) it is easy to leave confidential files or data
behind on the temporary host computer.
To avoid losing the flash drive, most devices can attach
to a key ring.
Authentication of documents is probably the most common
method used to protect the data stored on a USB Flash
Drive. Additionally, many USB Flash Drives support
encryption and manufacturers generally include the
necessary software with the device.
Portable Hard Drives
Portable hard
drives are high-capacity external storage devices that
can be easily transported in a briefcase, purse, or
pocket.
These extremely popular and inexpensive devices make it
easy to carry your data backup home, and can hold more
information than a flash drive, often as much or more
than any computer in your office. The devices connect to
any computer through a cable, usually a USB or Firewire
cable.
As with any other storage device that enters or leaves
your office, it must be secured against the possibility
of theft or physical loss. Again, authentication and
encryption are the best methods to protect data
confidentiality..
Smart Phones
The current
generation of Blackberries, Treos, and other mobile
phones include many of the data access and storage
characteristics of computers. While it's unlikely
that anyone would password protect a Blackberry, it is
still important to consider whether documents placed on
the device should be password protected or if
sensitive documents should be placed on a mobile phone
at all. In addition, many current smart phones offer the
ability to remotely wipe its memory and data while
connected to the network.
Final Thoughts
Your business
is extremely competitive and mobile technology is a key
tool to help maintain your edge. The content on
virtually all mobile devices and removable media could
potentially expose your firm to embarrassment, and even
serious security breaches, if it falls into the wrong
hands.
Private investment firms should devote more attention to
protecting the information found on USB devices,
removable storage media (CDs, DVDs, floppy disks,
portable hard drives, etc.) and wireless smart phone/PDA
devices. User awareness of the issue and acceptance of a
minor inconvenience, like entering a password in order
to read a “secure” document, could play major role in
minimizing any negative effects a data loss could have
on your Private investment firm.
|
|
