PERSONAL FINANCE
+ Return to investing
+ US real estate
+ Post-work worries
+ More...
SMEs
+ Use your assets
+ Surviving in tough times
+ How CAs can add value
+ Entering foreign markets
+ Valuing small firms
+ Expanding the biz
+ More...
IFRS AND ISA
+ IFRS and Canadian GAAP
+ New auditing standards
+ Gauging ISA adoption
+ IFRS and audit firms
+ More...
TECHNOLOGY
+ ERP and PSA survey
+ BI/CPM survey
+ CRM survey
+ More...
WORKPLACE
+ Diversity in the profession
+ CSR is worth it
+ Health and productivity
+ Preventing fraud
+ Chronological resumes
+ Expense fraud on rise
+ Gen X, Gen Y
+ Meeting time-savers
+ Bonuses still top reward
+ More...
CA STUDENTS
+ Articling in industry
+ Destination: CA
EXPERTISE
+ Global transfer pricing
+ More...
What have you got to lose?
By Yves Godbout
Illustration: Claudia Newell
When your computer is stolen, it can be replaced. But what about all the valuable information it holds?
It’s a fact. We are using personal computers more than ever and have more and more data stored on them. And given the number of computers stolen daily, all that data may be compromised.
According to analysts, personal data is far more valuable than the hardware. Many of us have valuable client data as well as our own information stored on our computers. How can we protect ourselves against this exposure?
We take all kinds of steps to protect the data on our PCs. We apply security updates and use antivirus, anti-phishing and anti-spyware software. In short, a well-protected PC can almost ensure no one gets to our data — unless some-one has physical access to the device.
Every year thousands of personal computers are lost or stolen. Although the prime target is usually a laptop or portable computer, home or office desktop computers can also be attractive to thieves. Since we carry laptops everywhere, they are more vulnerable to theft. Laptop computers are stolen or forgotten on buses, trains, in bars or conference centres. As well, many are stolen out of car trunks, back seats, homes and offices.
The value of PC hardware can be significant if you have a new, high-performance machine, but this may not be the only reason a thief would want your equipment. The value on the street of your laptop is probably close to $200. But the data it contains can be more appealing, depending on the caliber of the thief.
Consider the data your PC may hold:
- personal information — credit card information, bank accounts and passwords for Internet-based accounts;
- friends’ or family’s personal data — names, addresses, birth dates;
- clients’ personal data — names, addresses, phone numbers, social insurance numbers;
- clients’ confidential information — business information, audit files and tax information.
While losing the equipment is a nuisance, especially if you don’t have a backup, it can be replaced. Your home or business insurance probably covers the cost of the equipment in the event of such a loss.
But information theft is much more daunting. In addition to exposing yourself or your clients to huge losses, you could also be violating Canada’s Personal Information Protection and Electronic Documents Act, which protects personal information collected electronically.
There are hundreds of data loss or theft horror stories.(Listing and additional links to some are at www.CAmagazine.com/technology/lostnews.)
Services do exist to help you recover a lost PC. Some use software to advise the owner of the PC’s whereabouts when it is lost or stolen as soon as an Internet connection is established. Such products include Computrace from Absolute Software or PC PhoneHome from Brigadoon.
But recovering the equipment is only part of the solution. Sophisticated thieves are looking for data, not the machine.According to experts, the value of basic personal information such as name, address, date of birth and social insurance number is worth approximately $20 on the black market. Imagine how much the laptop from an insurance broker can be worth.
If you think Windows security is all you need to protect your data, especially with secure operating systems such as Windows XP or Vista, you are mistaken. The data can be read if the thief has the right hardware and/or software.
A few weeks ago, a friend’s daughter forgot her Windows password and her term paper was on the machine — no way to get that data. All they needed was to call a friend, me. I showed up with a few CDs and we booted the machine with a Linux-based operating system, recovered the file and wrote it out to a USB drive. She was ecstatic. But that was not enough — I booted with a utility CD, went in and changed the administrator password within Windows. She was then able to use the machine as she had before.I could have done exactly the same had she stolen the PC — all the data was in the clear and available to us.
There are ways to protect yourself from liabilities from clients as well as from having your information stolen or abused. All PCs should have a mechanism to protect them from loss.
There are several ways to protect your data:
Power-on password We may hate passwords, but they are an effective way of deterring a PC thief. If a machine is stolen, it is rendered virtually useless unless the thief has access to information on a master password or can contact the PC manufacturer’s technical support. In many cases a thief who is looking for only a machine will give up and throw the PC away since he or she can-not use it without the power-on password. If however the thief is also a data thief, the hard drive can simply be removed and installed on another system making all the data available.
Biometric authentication techniques and devices These are great because they ensure the users are who they say they are, but these techniques have the same problem as power-on passwords. A thief could simply remove the hard drive, install it on another system and access the data.
No data on the PC Although this may appear radical, it is possible to store most of your data on USB flash drives, portable USB hard drives or SD cards. However, this does not completely protect the data, as the data device could fail or be lost or stolen resulting once again in data loss. As well, if the data is not protected, it can be read by any other PC. You can also use remote desktop or Citrix to access your data, but this may not always be practical for road warriors.
File encryption You can choose to encrypt all sensitive information. This is effective in protecting the information, but it is a manual process that can be somewhat cumbersome. As well, your applications may not support file encryption so you would need to encrypt all files as you save them. Another problem is that even if the file is encrypted, unless you take special measures, the “footprint” of the original file can be on your hard drive or in temporary file space.
File system encryption Starting with Windows 2000, Windows has provided the encrypted file system, EFS. Simply encrypt your My Documents folder and any files you save there will be encrypted. However, if someone has the right utility, he or she can change your password and gain access to all the data.
As well EFS can cause problems if you are mailing attachments, use special utilities or store files on network drives. You can end up with data so secure neither you nor your colleagues can read it.
Disk encryption With full-disk encryption no one can gain access to the data without having access to the password and the encryption key. Quality solutions on the market today provide encryption algorithms that cannot easily be circumvented and most are approved for use by the US Department of Defense.
More recent products even provide for strong authentication using Trusted Platform Module (TPM) 1.2., which is a microprocessor embedded in the PC and is unique to that machine. If your computer is stolen, the data cannot be accessed by moving the drive to another machine and using software tools, as the data and encryption keys are tied to the specific machine.
There are a number of players in this area. Most of them have very good credentials and solid products. Microsoft has even included a product that handles full-volume encryption in Vista. BitLocker, which provides full disk encryption, is available in Windows Vista Ultimate and Windows Vista Enterprise but is not available in Windows XP.
There are also other contenders in this market. WinMagic, a Canadian company, has a product called SecureDoc that encrypts disks as well as removable media. Its product is robust and a management module helps with enterprise deployments and key management. Other well respected names in drive encryption are PointSec for PC and Utimaco’s SafeGuard Easy.
Hard drive encryption A major hard-drive manufacturer, Sea-gate, sells a new notebook hard drive called Momentus® 5400 FDE.2. These drives are hardware-based, full disk encryption products that offer advanced data protection to personal and corporate laptop users. The encryption is tied to the machine but all done by the drive itself. It uses TPM 1.2 and AES encryption.
You can’t afford the loss You cannot afford to risk compromising data. There are effective and cost-effective solutions to ensure data is safe. It makes good business sense to protect it wisely.
Yves Godbout, CA•IT, CA•CISA, is the director of IT services with the Office of the Auditor General of Canada and has extensive experience in information technologies as they apply to the enterprise and in audit. He is the chair of the CICA Alliance for Excellence in Information Technology. Godbout is also Technical editor for technology
