A chilling story in the Wall Street Journal’s Digits Blog yesterday told us that LinkedIn, Netflix and Foursquare “stored various forms of users’ personal data in plain text on a mobile device, putting sensitive information at risk to computer criminals.”
As if to confirm worst-case scenarios, Citibank then revealed that hackers have accessed the accounts of some 200,000 credit card customers in North America.
Even with a rash of data breaches, encryption is the part of computer security we tend to forget about. We know increasingly that social networking can let too many strangers into our lives and that we should think twice before entrusting anyone with sensitive financial information.
But how many of us encrypt data on our computers? It’s so easy to do, and I would argue that it should become best practice for professionals everywhere. Our firm does so it, so that if our computers were ever stolen thieves would find nothing but encrypted garbage where case files should be. We like the free, open-source Truecrypt program, available here. Other alternatives are available but at a cost.
But what about email? There is plenty of evidence that a deleted email can stick around in many forms on your computer or server even after you hit “delete,” but few think about the dozen servers between your office and the server of the person receiving your email. Both you and the recipient can do whatever you want, but your unencrypted email may be stuck (for years or decades) on multiple servers in multiple countries, all ready to be hacked.
While it’s true that hackers with enough patience and computing power can break many encryption codes, the idea is to raise the cost for criminals even to try. If you encrypt just the tiny portion of your emails carrying sensitive financial information, you direct a hacker right to your most vulnerable material. If you encrypt thousands of emails, a hacker will give up after working for hours to unveil messages that say “Happy Birthday!” or “Tks, will do.”
Yesterday the U.S. Commerce Department issued its green paper on cybersecurity, but stopped short of recommending encryption of emails. It strikes us that for certain highly sensitive matters encryption of email is worth the trouble. There can be problems with forwarding, and in many cases it makes sense for both sides to have an encryption program. Otherwise, you need to keep the same string of messages going for a non-licensee to benefit from the encryption-licensee’s program.
At the very least, we should all make sure our email accounts have their own passwords. That way if someone looks at your desktop computer at work, your Microsoft Outlook can at least stay locked. Password protection for Outlook can be arranged by setting a password for your Personal Folders File (.pst) within Outlook. You can do this on the File menu under Data File Management.