| |
Every 12 seconds, somewhere in the world, a personal computer is lost or
stolen. Most contain confidential or sensitive information.
Over the past year there have been a number of high-profile stories in the
press of laptops and data files containing sensitive data becoming lost or
stolen. The Privacy Rights Clearinghouse identifies hundreds, if not
thousands, of domestic incidents that take place where personal information
has been compromised. This compilation is just the tip of the iceberg since
it does not include incidents outside of the United States.
However, even one missing laptop or device can expose a great deal of
information and put your firm at risk, as evidenced by the media feeding
frenzy when 672 laptops, many containing personally-identifying information,
were declared lost or stolen between 2001 and 2006.
However, PCs aren't the only vulnerable devices that can contain
confidential information. For instance a backup storage device containing
the names and Social Security numbers of more than 500,000 Ohio state
workers was stolen out of a state intern's car, putting all of them at risk.
Virtually all mobile devices and removable media could potentially expose a
firm to embarrassment and even serious security breaches if they fall into
the wrong hands. Private investment firms should devote more attention to
protecting the information found on:
-
USB devices – including USB memory sticks, thumb drives, iPods or other
MP3 players
-
Removable Media – CDs, DVDs, floppy disks and external/portable hard drives
-
Wireless devices – such as Blackberries, Treos, personal digital assistants
(PDAs), etc.
You should also be aware that information can be copied or stolen from a
computer without the alarm created by vanishing hardware. The internet makes
it easy to find software that can efficiently duplicate data. For example, a
hacker no longer needs to have a laptop available to compromise a network. A
USB flash drive or MP3 player can be plugged into a PC and used to steal
large quantities of information rapidly.
The demands of today's mobile workplace make laptop computers, PDAs, flash
drives, and other devices almost a requirement for many. It is completely
inconceivable to travel to visit with a limited partner or portfolio company
without taking a laptop packed with data so that any question could be
answered quickly. Remote access via the Internet to your office network is
an important productivity component for road warriors. And, of course, email
with documents and other data files attached leaves the office regularly.
Therefore, when we talk about mobile security, we need to focus on making
your staff aware of the risks of losing important information and suggest
policies that you can adopt to secure confidential information. There is
also a need for firms to develop and implement a computer use policy that
balances the need for security with the need of users so that they can
accomplish tasks effectively and efficiently without creating an undue
administrative burden.
Document Security
There are two ways to protect access to sensitive documents and the
confidential information contained in them: authentication and encryption.
Not all documents generated by your firm contain sensitive or privileged
information. But documents are the lifeblood of an alternative investment
firm. Your staff works with a number of sensitive documents. Their ability
to preserve that confidentiality is made more difficult when documents are
accessible across a firm network or shared electronically with partners,
limited partners, associates, and other parties via email and extranets.
Authentication is a common term for limiting access to electronic documents
only to those persons that you want to have access. Password authentication
is the most common form of authentication and easy to establish on a
document, folder, or an entire computer. All firm computers should require
at least one password to log onto the computer. Additionally, individual
documents containing sensitive information that is shared electronically can
be individually password protected.
Passwords can be very strong or relatively weak. A strong password will be
at least nine characters in length and contain both letters and numbers or
symbols.
A relatively insecure, or "soft," password may have some positive benefits.
A firm could adopt a universal password that is implemented on all documents
to be taken outside the organization in any way, including by email
attachment. This password could be communicated to partners, associates,
limited partners, and portfolio companies via postal mail or telephone.
Although the widespread knowledge of this password would limit its
effectiveness, it would be highly effective in protecting "lost" documents
transmitted by a misaddressed email, a lost CD-ROM, or a lost USB flash
drive.
It is relatively simple to add password protection to documents and
spreadsheets. In MS Word 2003, document security features can be found under
"Tools" and "Protect Document". In MS Excel 2003, the security settings are
located under “Tools” and “Protection.”
Another way to protect documents from unwanted changes or exposure is to
consider saving your Word or Excel file in Portable Document Format (PDF).
Using this format, a firm can "lock down" documents, disallowing printing,
copying, editing, commenting, or even opening the document.
By "locking down" PDF files, your firm can make sure that the document is
used in the way that it was intended, without exposing it to alteration or
copying. Printing your files to PDF is a more secure way to send documents
to limited partners, portfolio companies, and other parties and know they
cannot be altered.
When it comes to critically sensitive information, document encryption is
the preferred solution rather than password protection. Long used by the
government and military, encryption is a process that obscures data or
information in order to make it unreadable without the use of special
software or the knowledge to decrypt it.
To encrypt digital information, the document, folder, or data file is run
through a software application to obscure the information. There are various
levels of obscuring, generally stated in "bits;" the higher the bits, the
harder to decrypt the information. Currently 256-bit encryption is a common
standard, but super-sensitive documents will have higher levels. The way to
de-encrypt the information is with a "key." The key is often a pass code or
another software program tied to the original encryption software.
The obvious danger in using document encryption is that the loss of the key
effectively "loses" the document.
CD
ROMs, DVDs and Floppy Disk Drives
Although the
entire contents of a CD-ROM, DVD, and floppy disk can be
either encrypted or password protected, it generally
makes more sense to encrypt or password protect the
individual document.
USB
Flash Drives
Becoming
increasingly popular, a USB flash drive is a small
removable data storage device that is as small as a
matchbook or ink pen but can hold thousands of
documents, hundreds of photos, songs, or PowerPoint
presentations. It plugs directly into the USB port on
any other computer for access to any documents and other
files previously transferred to the device.
Although these devices are very convenient, two major
security issues emerge: 1) They are easily misplaced,
and 2) it is easy to leave confidential files or data
behind on the temporary host computer.
To avoid losing the flash drive, most devices can attach
to a key ring.
Authentication of documents is probably the most common
method used to protect the data stored on a USB Flash
Drive. Additionally, many USB Flash Drives support
encryption and manufacturers generally include the
necessary software with the device.
Portable Hard Drives
Portable hard
drives are high-capacity external storage devices that
can be easily transported in a briefcase, purse, or
pocket.
These extremely popular and inexpensive devices make it
easy to carry your data backup home, and can hold more
information than a flash drive, often as much or more
than any computer in your office. The devices connect to
any computer through a cable, usually a USB or Firewire
cable.
As with any other storage device that enters or leaves
your office, it must be secured against the possibility
of theft or physical loss. Again, authentication and
encryption are the best methods to protect data
confidentiality..
Smart Phones
The current
generation of Blackberries, Treos, and other mobile
phones include a number of data access and storage
characteristics of computers. While it probably unlikely
that you would password protect a Blackberry, it is
still important to consider whether documents placed on
the device should be password protected or whether
sensitive documents should be placed on a mobile phone
at all.
Laptop Computerss
TCertainly
all road warriors, and likely the vast majority of
support staff, work with laptop computers – both in the
office and remotely. Unfortunately, the loss or theft of
a laptop device is not a rare or uncommon event. For
example, in September 2006, the United States Department
of Commerce identified 1,138 laptop computers as either
lost, stolen or missing during the 5 year period from
2001 through 2006.
The generally accepted minimum standard for laptop
protection is that it should be password protected. For
laptop computers that are typically attached to a
network, this is already done by the network login
password. Additionally, some laptops even offer
fingerprint scanning authentication.
As mentioned earlier, sensitive documents on a laptop
can be either password protected or encrypted. However,
there are times when it may make sense to employ both
methods.
Frequent flyers may want to utilize a screen protector
that can be used to block prying eyes when working on an
airplane or any public location, such as an airport
terminal. They should also make sure that their wireless
transmitters and receivers are turned off when not
needed.
Final Thoughts
Your business
is extremely competitive and mobile technology is a key
tool to help maintain your edge. The content on
virtually all mobile devices and removable media could
potentially expose a firm to embarrassment, and even
serious security breaches, if it falls into the wrong
hands.
Private investment firms should devote more attention to
protecting the information found on USB devices,
removable storage media (CDs, DVDs, floppy disks,
portable hard drives, etc.) and wireless smart phone/PDA
devices. User awareness of the issue and acceptance of a
minor inconvenience, like entering a password in order
to read a “secure” document, could play major role in
minimizing any negative effects a data loss could have
on your Private investment firm.
|
|
