Data Security

[David D.]

I’m considering getting rid of my desktop computer and using a laptop exclusively. Laptops are fast, cheap, mobile and can be hooked up to a big monitor when available. I think desktops are becoming a thing of the past. And it got me thinking, a laptop has a much higher probability of getting lost or stolen, thus all my buyer/seller/borrower/investor etc data, not to mention my own data, will be more vulnerable. I have a lot of other peoples stuff, SSN, driver’s license copy, corporate P&L, operating agreements etc, etc.

What are you guys doing about protecting your computer data, if anything?

Do you use a SSL (secure socket layer, you know that https thing) on your websites and email providers? Do you use any kind of hard disk encryption? Do you backup, if so do you use the online backup service?

Thanks, Dave

[Brad B.]

Some things to keep in mind. Not only is it important to worry about data confidentiality, but you also want to address availability and integrity in your overall security plans.

Using an encryption product is a great method of maintaining the confidentiality of your data. (i.e., making sure only necessary stakeholders can access it) However, it's important to properly use encryption as well. Although I could write a paper on this matter, you want to handle the basic protections. Your encryption is only as good as the algorithm used combined with the tokens you use to decrypt or access the data the container holds. Generally, for a windows desktop user, I lean towards either PGP Desktop or a TrueCrypt container. Truecrypt is free and very, very secure when used properly. PGP is very good as well, but costs money. Ideally, with what ever solution you use, make sure you are protecting it with a very strong password. Not something guessable such as a word. Passphrases work best since they are sufficiently long, contain enough characters of different values, and are easily memorable (so that you don't write it down). A good pass phrase would be something like, "The rain in Spain falls gently on the plain!"

Additionally, you want to ensure you can always access your data when you need to. That's the availability portion. Once you have an encrypted container - make sure you back it up someplace. Ideally, you want a distinct of a backup location as possible or realistic given your circumstances. You also want to make sure your backup copy works. I've been in many situations where people trusted their backups only to find they didn't work when they needed them most. It was false security. Testing your backups falls into the category of Data Integrity.

If you do all of that, then you have some measure of data security. But it should be practical based on your specific situation. There are many online services that you can use for storage and other things without resorting to buying special hardware. Since your data is strongly encrypted, it shouldn't be an issue about unauthorized users having access.

Another thing to note, since you are keeping personally identifiable information (PII), it would serve you well to familiarize yourself with your state's laws concerning inadvertent disclosure (hacking). It happens to a lot of businesses and some states have more stringent rules than others concerning who needs to be notified and when as well as what are the ramifications for non-compliance. It's better to have that information in order while you are thinking about data security than after an incident takes place.