On the heels of this recent story out of the UK about the government losing 25 million citizens’ personal data, IT security guru Bruce Schneier provides his tips on securing your laptop, especially critical for those us with client data on our drives:
Longer keys increase the amount of work the defender has to do linearly, while geometrically increasing the amount of work the attacker has to do.
Strong passwords are the first step to protecting your firm’s and your clients’ information assets. Assigning a strong password using a combination of lower and uppercase letters, numbers and special characters is far more important than changing your password frequently. It has been my experience, however, that strong passwords just aren’t being enforced as well as they should be.
There are several whole-disk encryption products on the market. […] The reason you encrypt your entire disk, and not just key files, is so you don’t have to worry about swap files, temp files, hibernation files, erased files, browser cookies or whatever. You don’t need to enforce a complex policy about which files are important enough to be encrypted. And you have an easy answer to your boss or to the press if the computer is stolen: no problem; the laptop is encrypted.
I love the idea of simplying this process in the way described above. Making it easy for non-technical users to implement security measures makes it more likely they will get implemented effectively. And being able to tell your manager or the partner that the client data has not been compromised would help me sleep at night.
Bruce also mentions that the product he uses can encrypt USB drives, which are an essential tool for the modern auditor. I keep mine secure by wiping data from it immediately after transferring to the laptop, but that may not always be immediately possible.
Whole-disk encryption means that anyone at your computer has access to everything. […] I recommend a two-tier encryption strategy. Encrypt anything you don’t need access to regularly — archived documents, old e-mail, whatever — separately, with a different password.
This is a sound strategy for older files, although I prefer his final point:
Minimize the amount of data on your laptop. Do you really need 10 years of old e-mails [sic]? Does everyone in the company really need to carry around the entire customer database?
This is a better strategy for me as an auditor. The only files I need on my laptop is the client I’m working on at the moment. That audit that wrapped up last week? It’s on the network, where security isn’t my responsibility! As for email, I try to clear out old stuff annually to keep the hard drive usage up but also to remove potentially sensitive information.
Follow those simple tips and your portable client, employer and personal data will have a much greater chance of remaining out of the wrong hands.