Physical Information Security
Both large companies and individuals pay significant sums every year to protect their electronic data—installing antivirus software, hiring identity protection services, and employing hardware designed to be as secure as possible. Individuals, however, tend to spend far less time, money, and effort, on physical security.
The safe storage, organization, and disposal of vital documents should be part of any individual’s credit and identity protection strategy. Large companies follow a number of protocols meant to secure physical documents, from shredding to simply locking doors. Most of these measures are possible for the individual who wants to secure their own important documents, though very few people go through the relatively painless process of doing so.
Complete Document Disposal
Common sense dictates that all documents containing valuable information should be shredded—bank and credit card statements, tax records, cancelled checks, etc. However, there are more innocuous documents that should meet this same fate, such as credit card offers, utility bills, phone records, and old medical records. If a thief gets hold of just one vital piece of information—namely your Social Security number—practically every piece of mail you get is a possible fraud waiting to happen.
(Up until not very long ago, many organizations—universities, utility companies, even states issuing driver’s licenses—were still using peoples’ Social Security numbers as their ID numbers within that organization. Luckily this practice has largely ended, but it’s worth checking your various ID and account numbers to make sure that none of those old Social Security-based numbers made it through.)
As such, shredding all discarded mail is a good habit to get into. You won’t miss anything, and it’s all headed to the same place anyway. Shredders can cost from $25 up to nearly $3,000, but for home use a cross-cut shredder costing under $100 will do the job just fine. (Avoid strip-cut shredders, as they only cut paper into long strips that are much easier to put together.) Just dispose of every piece of unwanted mail in the shredder immediately, and you won’t have to worry about any of those scenarios in which criminals can hijack your identity.
Complete Document Storage
Storing valuable documents involves more than just protecting those papers from thieves. In fact, there is a laundry list of reasons to keep your most important documents—birth and marriage certificates, Social Security cards, car titles—locked down. Fire, flood, or any other natural disaster can mean a complete loss. Safes are the best option for these most important documents and valuables, as they will resist natural disasters as well as a burglar’s desire to take them.
However, as most safes are fairly small, you’ll probably need additional document storage. Lockable filing cabinets fit the bill nicely, and come in a variety of shapes and sizes depending on the space you have available. In terms of security they also make sense, as even the small locks on a filing cabinet are enough to deter most would-be thieves. If you want additional security in place, you can always use measures that larger companies use and create a system of locks—a locked cabinet inside a locked room with only one key, for example.
Such extra measures should only be necessary if you have a significant number of important documents in your home—from a small business, for example, with client data in your office as well as your own. For most people, however, a simple safe attached to the home itself, along with a locked filing cabinet and a decent shredder for unwanted documents, should cover all the physical security bases.
Business Data: Higher Stakes Protection
Businesses, even the smallest ones, keep a wealth of sensitive data on-hand. And, if having one Social Security number stolen is bad, how bad is it to have every employee who works for you, or has ever worked for you, compromised? Or what about banking information for every customer you’ve ever serviced? This kind of scenario is incredibly damaging for large companies, and for a small one, it could mean the end of operations.
Identifying the Risks
Small businesses don’t practice identity protection, but data protection, a much more comprehensive activity that involves many of the same measures. Businesses have all the same problems that individuals do when protecting their vital information, along with an important additional factor: employees with access. Whenever a business has any employees at all, chances are they have access to data, often at multiple points (e.g., laptops, office computers, paper files, etc).
Before writing any data protection strategy, you must first inventory the data you have—once you know where it is, you can go about securing those locations. Identify all computers, portable drives, discs, cell phones, and physical files, along with what data resides in each. Then pinpoint which employees have access at each point. Does the sales team keep customer data in their Blackberries? Do you keep old customer files in a storage facility, the keys to which hang on a hook over your desk?
Done correctly, this task is time-consuming and difficult. You will need to identify every access point, who has right to use at each point, and what steps need to be taken at each to protect the information there. But once it is done, your data will be as safe as it can be.
Keep Your Data Lean
Once you understand where your vital data is, the next step is deciding how much of it you need. In most states, you don’t need to keep employee information longer than a year or two; be sure to shred old employee files at your first legal opportunity. Customer payment data—credit card or banking information—is only useful until the customer pays. After that point, you are putting their data and yourself at unnecessary risk. Only keeping what you need gives you less data to protect, thus cutting expenses and helping control costs as well as access.
Lock Down What You Keep
Locking down the filing cabinets is important in a home setting, but it’s non-negotiable in a business environment. Physical documents are the most compromised data in offices, due usually to a lack of effective security. Security in a small business context seems fairly straightforward—just store the information behind a lock, with the keys accessible to as few people as possible. These ideas apply to both physical and electronic security, as you can easily “lock” computers as well as file drawers.
It’s not as simple as locking the doors, however. In any business, employees will be required to unlock them; the fundamental task here is to make sure that they lock up again when they are finished. Requiring employees to log off their computers at the end of work sessions; keeping track of who accesses offsite storage facilities; a sign-in and sign-out system for sensitive files—all of these mechanisms will keep vital data safe.
At root, training your employees in data protection, and conveying how important it is, will provide the best line of defense against data theft. It’s up to you to create a “culture of security” and manage your employees into living it every day.
The Centerpiece: The Plan
Every business is different, from the level of sensitive information they deal with, to the number of employees, to simple location. As such, every small business needs its own security plan, covering five questions: where the security points are, what data needs to be there, how it is to be protected and disposed of (if necessary), and what to do if it does become compromised.
This plan can be simple or quite extensive, but whatever the case it needs to be taken seriously. It requires effort at its creation, as well as continued monitoring as the needs of the business—along with access points, volume of important data, and dozens of other factors—change. Large corporations dedicate millions of dollars and entire security departments to protecting their data. Small businesses must take their information security just as seriously.
Storing Data Properly
Data Storage: Never More Affordable
Though file sizes continue to grow, data storage has become incredibly cheap—only six years ago, cost per gigabyte of storage ran close to $150 for portable USB devices; today that cost can run under $2. Data storage is even cheaper if you buy an external hard drive, which can provide a terabyte of storage for less than $150. Mass data storage has never been more affordable, but there are still some considerations to keep in mind in regard to data security.
What is the Right Data Storage Solution for You?
It may seem like an easy decision to make, but your data storage strategy must take into account three important factors:
• Portability: How much data do I need to transfer to machines outside my own network?
• Size: How much data do I need to store, and how much will I need to store in the future?
• Accessibility: Do I need to access my data on a regular basis, or do I simply need backed-up files? Do I need to access my files remotely?
After considering these three factors, you’ll be able to make an educated decision among the many storage options available.
USB Drives: Portability and Accessibility
These drives are best for travelling professionals or students who need to bring a lot of data or programs with them, and have a computer to use at the other end of their trip. Rather than taking along a laptop, these drives hold all the data someone might need to work on the road.
Unfortunately, the maximum size of USB drives at this time is about 256GB, which is very large given the size of the device, but it’s certainly not enough for storing banks of high-definition photos or videos. What’s more, USB drives get lost—their size makes them easy to misplace, even in familiar surroundings. You can leave them plugged into borrowed machines, lose them under a stack of papers in a drawer, or simply drop them on a plane or in a taxi. For this latter reason, utilizing a USB drive as your sole data storage solution can put your files in harm’s way very easily.
Portable Hard Drives: The Ultimate Backup
Portable hard drives provide two appealing advantages: 1) a massive amount of storage, ideal for backing up every file in a system; and 2) very low price. Portability is something of an issue, as carrying around a separate hard drive isn’t very feasible, but carrying it around isn’t really the point. A dedicated backup drive creates a secure data “crate,” as you can plug it in, back up your files, and then unplug it, leaving that data safe should your main system become compromised. You can even store very sensitive information completely on this backup drive, removing any possibility that vital files (e.g., customer data, tax and financial information) spend any more time exposed than they have to.
Portability is the main drawback for external drives, but it isn’t the only one. A fire in your office or home renders all your careful data storage useless, and if you do keep some data exclusively on the removable drive, you need yet another storage device to backup that data. Another major issue is accessibility—when that drive is disconnected, you cannot access it whether you’re next door or 1,000 miles away. Not wanting to forget any important files, you could be tempted to pack more and more onto a portable USB drive, thus leading to potential data exposure.
Online Data Storage: Low Cost, High Convenience
Online data storage services provide disc space to users who wish to save their files over the Internet, allowing them access to their data anywhere. The cost is also quite low; most services provide unlimited storage for less than $10 per month—often far less. Files are secured via password protection on secure servers, and you can provide access to your files by creating additional user access accounts.
Online data storage is probably the best option for combining access, portability, and size (most services provide unlimited data storage for their flat monthly/annual fee). The time necessary to put all your data online depends on the speed of your Internet connection; a slow connection will mean a lot of time spent downloading files. However, once they are there, you can access them from anywhere, from any other computer.
If you have a little time to spare for the uploading, transferring files to an Internet-based storage service is an easy, inexpensive way to both store data and provide access to it anywhere in the world. It also makes travel easier, as packing your storage device becomes irrelevant.
Malicious Software Protection
From Prank to Profit: Malware Evolves
The earliest computer viruses were conceived as digital vandalism in the mid-1980s. Hackers and programmers in search of an audience would create malicious programs (malware) to show off, or simply to alleviate boredom. As time went on and more economic activity moved online, malware experienced an explosive evolution from potentially destructive nuisances, designed simply to inflict damage, into tools of economic theft or malicious, “forced” advertising, in the hands of criminals.
This latter-day malware is extremely dangerous from a data protection point of view; before the afflicted user even knows what’s happening, a malware program can steal vital information in any number of ways:
• Waiting for you to access legitimate Web sites, then imitating those sites to steal vital information once you enter it
• Stealing online gaming information, then using that data to access gaming accounts for more valuable information
• Stealing passwords and credit card numbers with keylog programs that relay your keystrokes to a remote user who can then determine your passwords
Spyware and adware—programs that install advertising software into your computer without your permission—are not as dangerous as the malware described above, but they can lead to problems of their own, namely slowing down your system and subjecting you to advertising material you do not want, such as adult Web sites or other inappropriate content.
What Makes Your Computer Vulnerable?
A number of factors increase your vulnerability to malware.
• Using one of the major operating systems—Windows, Apple OS, UNIX, or Linux—increases chances of attack, simply because the code used in these platforms is common knowledge. Some other programs—major Web browsers in particular—create even more security risks due to common use and frequent security breaches.
• Leaving computers online 24 hours a day increases the access malicious users have to your system, as well as the time necessary to break in.
• Allowing open access on wireless networks gives criminals access to networked computers.
• Running outdated protection software leaves your system open to newer programs that have their own methods for circumventing older countermeasures.
Obviously, some of these vulnerabilities are easy to address, while others require major changes to your computer system. You can, for example, switch Web browsers fairly easily, or take your computer offline when you are not using it. Other changes, like changing operating systems, might be too disruptive, and result in costly (in both time and money) conversions.
The good news is that even if you’d like to continue using your current setup, there are a multitude of anti-malware programs and countermeasures available to protect you.
Protection Programs Defined
Defensive programs are your main line of defense from dangerous malware and the malicious computer users running it. These programs fall into a few different categories, and use different techniques to combat different malware. You must have all of them installed to establish adequate electronic protection.
• Firewalls: Block unauthorized access to a network or computer while allowing authorized communication. They keep outside users from accessing private networks, fulfilling a preventative function—they simply block things without identifying them.
• Anti-Virus Programs: Running a virus protection program as a stand-alone measure will not provide you with enough protection; malicious programs meant for criminal activity behave very differently than simple viruses, which seek mostly to reproduce themselves and cause more of a nuisance than an actual security threat.
• Anti-Malware Programs: These programs combat malware in two ways: providing real-time prevention of malware instillation (preventative) and detection/removal of malware already installed in the system (reactive). These programs rely on constant updates, as malware evolves daily, and they are never 100% effective, but they provide a significant defense, and are even more effective when computer users update them and run defensive scans regularly. Some newer programs will even track down security patches you don’t yet have and install them for you.
Users as System Flaws
Unfortunately, no protective software can cover for user errors. Social engineering is an attack method in which criminals manipulate people into giving up their valuable information online, the same way that malicious telemarketers used to steal credit card numbers over the phone by promising vacations and other offers to their targets.
Online, this method works in much the same way; hackers will send emails or spoof Web sites that seem trustworthy, but in fact are traps designed to attain vital information. The best defense against these attacks is to trust no one—never give out important information in response to an email, phone call, or any other contact that you do not initiate with the company in question.
Passwords: Protecting the Gates
Though good password protection is fairly easy, users are too often lackadaisical in creating them; they settle for six- or seven-character words pulled straight from the dictionary, or the user’s personal life. A determined hacker only has to look at a Facebook page or utilize one of many password cracking programs available on the Internet to gain access. As such, password construction is more important than ever, and requires effort and creativity. Simply rotating through the same three passwords for every online account and program access point just won’t work.
The best password defense is a randomly-generated string of characters (12-15 characters long is a generally-accepted optimum length) with no relation to each other. Passwords like these are difficult to remember, but they remain your best defense—simply write them down and take the time to memorize them. To create passwords that are a bit easier for you to remember, come up with an encryption plan; for example, write out the alphabet, then randomly assign other letters, numbers, or symbols to each of the originals. Though it may seem like a bit of work, doing so puts you on your way to creating a strong password system that you can again and again.
If you do choose your own words, don’t simply open up a dictionary and pull something out. Be sure to insert numbers, capital letters, odd spelling, and symbols to make ensure password strength. Don’t settle for words spelled backwards or common abbreviations that you might like (e.g., SCUBA, SETI). Passwords like these are easily cracked, and with only a little extra effort you can do far better.
Here are some good password examples, and the words they derive from:
aLLi5gatoR974 not alligator
blacKBerri129 not Blackberry
DIScl23osure not disclosure
Above all, stay away from Social Security numbers, children’s birthdays, or other easily-guessed sequences that anyone who knows you (or can know you quickly via any social Web site) could find out easily.
Once you have good passwords, write them down—and by all means don’t store them on your computer in a folder called “Passwords.” Once you have them in hand, take care not to reveal them—never send passwords in an email, or type them while you’re on a public computer. It’s easy to forget that many computers are defaulted to remember Web IDs and passwords once they are typed in.
Patches: Protecting the Back Door
Patches are software fixes meant to fix issues discovered over time—primarily software bugs and security holes. Most users are never aware of these security issues in the first place; in fact, the software company itself is usually ignorant of the problem until a hacker somewhere exploits the gap and compromises someone’s computer system. Patches come out regularly, though people often do not utilize them in a timely fashion; according to Secunia, a Danish security software company, 95 out of every 100 computers are running unsafe software that requires updating.
Intelligent Patch Management
Chances are your operating system performs automatic software updates, finding new patches and downloading them as background activity, then applying them once you shut down your computer and restart. However, it never hurts to find out what the most current patches are, so you can make sure that your computer is up-to-date. What’s more, many users simply bypass their computer’s automatic update process by skipping it. The bottom line: let the automatic system work at the very least. And to truly protect your system, double-check available patches and make sure that you have them.
Of course, keeping track of patches yourself can be difficult to manage. Luckily, there are also programs available that will monitor the many programs installed on your computer and let you know which ones are running outdated versions. Then you can download the relevant patches and keep your computer updated at all times. Along with anti-malware programs, such patch maintenance is the foundation of secure computing, and should be monitored on a regular basis.