What you need to know to safeguard confidential data
By Rick Telberg
Each year for the past 18, the American Institute of Certified Public Accountant’s has conducted and published the results of its Annual Top Technology Initiatives Survey. In this year’s edition four new issues surged onto the “Top Ten” list. Interestingly, many of the concerns are connected.
“Information Security” took the top spot for the fifth year in a row on the 18th Annual Top Technology Initiatives Survey, while “Identity and Access Management” jumped into second place. Also moving up to fourth place in the survey was “Privacy Management”, and a new initiative, “Securing and Controlling Information Distribution” hit the Survey charts this year.
To some extent, these are all different views of the same basic concern. Whether you call it “Privacy Management” to comply with HIPAA or just fiduciary responsibility to your firm or a client, “Information Security”, “Access Management”, or “Securing Information Distribution”–it all adds up to the same thing–keeping private and confidential data private and out of the hands of the unauthorized.
Why the ongoing concern with these Initiatives? To some extent they are mandated by legislated compliance requirements such as SOX. If you’ve been to a new doctor, dentist, or other healthcare provider recently, you’ve surely noticed that you signed a piece of paper outlining confidentially requirements under HIPAA.
Regardless of regulatory requirements, it’s just plain good business practice not to “talk out of turn”. That encompasses being cavalier with company or client data. It’s always big news when a company lets credit card holders’ confidential information such as account numbers or Social Security numbers slip through the cracks. Lost laptops plague organizations as diverse as the Los Alamos National Laboratory and the IRS.
So what’s the answer? We’ve talked here in past columns about security issues and some of the approaches to addressing them. Laptops pose a particularly vulnerable area. There are several reasons for that, starting with the form factor being particularly easy to make off with. Add in a professional who is frequently out of the office with the laptop, and your laptop is almost like a shining beacon saying “Steal Me! Steal Me!”
Many of us have confidential data on our laptops. It doesn’t necessarily need to be client data, but if you check bank accounts on-line, and don’t specifically clear your Internet history, it might be possible for a thief to recover account and password data if your laptop takes a walk.
Buying a laptop with a biometric access device, such as an integrated fingerprint reader, is a good first step, and you can add this type of accessory on if you already have a laptop.
But using a password or biometrics is only a first step. Think of it as a gatekeeper to a private community. If a thief can bypass the gatekeeper, it’s pretty easy for them to plunder at will.
Your second line of defense should be to make sure the hard drive on your laptop is encrypted. It may slow down access just a tad, but if your laptop disappears, you will at least have some assurance that the private data stored on it will remain private. There are numerous reasonably-priced encryption utilities available, and many biometric access devices, such as fingerprint readers, that come with an encryption option.
Just make sure that you back up your data on a regular basis, and store the backup copy and encryption key somewhere besides on your PC.
One Response to “Security tops accountants’ worry lists”
Richard Norick
I hate people who can make many interesting points in just a few words! :) I felt you did that quite well in “Security tops accountants’ worry lists.â€
I am co-founder of a data security software company, Hypersecurity LLC, and I and two partners set out to find a better way to secure data on your laptop or desktop without either taking complete control of the computer, or negatively affecting productivity through loss of speed. We have done this with our software solution Hypersecurity DataVault.
Quoting you saying; “But using a password or biometrics is only a first step. Think of it as a gatekeeper to a private community.†If a thief can bypass the gatekeeper, it’s pretty easy for them to plunder at will.†Our product requires two factor identification; something you have, your computer, and something you know, your very secure password. With us, even if you get past the “gatekeeper,†it will do you know good. You still can’t access the data.
Another of your quotes: “Your second line of defense should be to make sure the hard drive on your laptop is encrypted. It may slow down access just a tad, but if your laptop disappears, you will at least have some assurance that the private data stored on it will remain private.†Here is where we differ.
Using Hypersecurity DataVault, think of a safe deposit box. We create a “safe deposit box†on your hard disk and you select what you want encrypted, you manage it, and with our software, corporate policy dictates how and what stays secure. We only secure your data and your computer can then do whatever it was intended for, as a productivity tool.
With us you will experience no system degradation and it runs transparently in the background. With some of the full-disk encryption solutions, once you open your system up, none of your data is now secure and your system it totally open. With Hypersecurity DataVault, your system is open but your data remains totally secure and you are the only person who can access it!
Now, I realize that you think I am just trying to sell you something, but that actually is not my intent. My intent is to suggest that you can have true data security without locking down your entire system and without any system degradation. This is where most other products fail.
Scenario: You are traveling, you are in a hotel, you have 20 minutes to get ready to do a presentation to 300 CPAs in a conference room upstairs and your hard disk is locked, or your system is locked down and you can’t get to your presentation. What can you do? With us, we only secure your data, not your entire machine, and our software would allow you to use your computer as you always would. Using HSDV, you could even have a copy of your presentation in My Documents and never be effected by any data security software, which would be nearly impossible, since we only secure and “store†your files, not your entire hard disk! FYI, we run under AES 256 or 3DES FIPS 140-2 while meeting Top Secret encryption standards.
But, I must say that, in your article, you certainly did make the salient points on where the data security problem is today. It is more than locking down your entire system and just complying with SOX, GLBA, HIPAA, etc, it is the actual protection of data requirements that brought about this legislation. Data security should not be difficult, expensive or a drag on your system. But, not complying has become quite expensive, if you do have a breach or lose your laptop without any data security in place.
Dick
“Policy Driven & Managed Data Security”
Hypersecurity LLC
Richard Norick
President/EVP Sales
rnorick@hypersecurityllc.com
tel: 408.629.0564
http://www.hypersecurityllc.com
.