Let's face it. Encryption is one of those technologies that's on your to-do list, but you probably haven't gotten to yet. It's a must-have technology that is pondered more than actually implemented. Encryption is widely used in the internetworked IT infrastructure, but it's barely understood by most users. And, sadly enough, IT shops in small- and medium-sized businesses (SMBs) seldom take full advantage of it.
That said, what happens if a company laptop is stolen or lost? Is the hard drive data protected against unauthorized access? The standard password login to Windows isn't enough protection. Encryption technology provides the definitive solution. Scrambling digital data limits access to only those with the proper keys (think of these as akin to passwords, but stronger) and can guard against eavesdropping of communications, prevent undetected alteration or deletions and deny unauthorized access.
But we know that already. The problem is, SMBs don't use encryption technology enough. Savvy large enterprises are adopting crypto to protect data stored on personal computers, but few SMBs implement it now. This is quite dangerous, given that data on computers is valuable and vulnerable, regardless of company size.
Why don't we encrypt more?
We know the problem. We know the solution. Why don't we use it? Encryption requires conscious action, and users invariably opt for the easiest procedures, thus dropping "unnecessary" steps. Getting around this means IT shops must install crypto systems that run automatically with e-mail and file systems. This requires a definite commitment of IT support for implementation and enforcement, management approval of policy requirements and training.
Crypto scares users. It threatens to deny access to everything on their computers if they lose keys or forget a password. Unless IT professionals can guarantee a secondary decryption key (a "back door"), crypto protection is so strong that when all primary keys are lost, data is truly unrecoverable. Keys have to be automated with other security and login measures so there's no extra burden for users to remember. As with passwords, there's no security when users have to write down their cryptographic keys on a sticky note attached to the monitor.
What you can do
Take the time to implement a few simple steps that will prevent devastating and dangerous security problems -- as well as save time and money.
- Be realistic about how your company's data travels. Do your users carry around sensitive computer data that could cause competitive disadvantage, intellectual property concerns, disclosure of trade secrets, financial or other damage to individuals or companies? Whether that data lives on a laptop, CD-ROM, PDA, USB memory device, portable hard drive or flash memory card, it make sure it is secured.
- Use strong crypto software. One good candidate from among dozens on the market is PGP,which comes in a wide range of IT-friendly manageable and upgradable configurations.
- Make backup copies. When you install crypto for your users, be sure to keep secured backup copies of their crypto keys or a secure master key; inevitably you will need such tools to rescue some important data.
- To protect data and crypto keys, use at least two of the three forms of authentication:
- Something you know, such as a password
- Something you have, such as a smart card or electronic token like RSA'sSecurID, which presents a new passcode every minute to preclude spoofing and password reuse.
- Something you are, a biometric identifier such as a fingerprint or retinal pattern.
- Issue protected hardware devices. These include fingerprint-secured USB drives or smart-card-equipped laptops.
Russell Kay is a consultant and freelance writer in Worcester, Mass., and a former technical and reviews editor at Byte and Computerworld. Let us know what you think about this tip; email firstname.lastname@example.org.