How To Protect Your Precious PC Data

Data security has been in the news a lot lately, as a result of some high-profile corporate losses and thefts of laptops, USB flash drives and other data storage equipment. As more users rely on laptops for their main computers, the chances increase that more PCs will be lost, stolen, or damaged. And this means that the potential for data loss or abuse is high and continues to grow.

Actually, even desktops aren't safe. As PCs get smaller and more powerful, their hard drives can be used to store large databases on them -- information that makes them potential targets for theft. "All the big guys in financial services have been investing heavily in disk encryption for laptops, desktops, and portable devices," says Ralph Figueiredo, a sales manager with Aurora Enterprises and a data security consultant. "They are worried about internal theft of systems from their offices as well." One of his clients in Southern California recently had the CEO's desktop PC stolen from the office, complete with personnel and project records. Two weeks later, disk encryption was deployed on all of the managers' PCs and policies were set up for encrypting USB flash drives.

Clearly, stealing only the CEO's desktop points to an inside theft, but that doesn't change the fact that now is the time for IT managers to protect their corporate PC data. Ideally, this protection should be part of a comprehensive security strategy that includes traditional perimeter defenses such as firewalls and antivirus tools. "Corporations can be tighter than Fort Knox with their firewalls, but [they] don't consider how easy it is for someone to walk into their office, lift a machine, and walk out the front door," said Figueiredo.

Fortunately, there are a wide array of encryption and security tools that can mitigate this potential disaster, including some free or low-cost solutions.

A recent CSI/FBI survey of IT administrators has found that 46% of the respondents had to deal with stolen laptops in 2006, with the average loss over the year increasing from $19,562 per respondent in 2005 to $30,057 per respondent in 2006.Growing Problem

"Just about everyone that we speak to these days knows about a stolen laptop situation personally," Figueiredo says. "It certainly is more prevalent when compared to two years ago." It also is easy to find news reports that are filled with reports of stolen laptops or missing USB flash drives with sensitive data.

In 2006, a few of the many incidents of laptop theft resulted in the release of personal information from more than 540,000 N.Y. state workers>, 4,600 ROTC scholarship applicants, 13,000 Washington, D.C., ING retirement plan participants, 2,500 Equifax employees, 196,000 HP employees in a Fidelity benefit and defined contribution plan, and 17,000 patients of Mount St. Mary's Hospital in Buffalo, N.Y. An average of nearly one incident of data theft is added each day to the Attrition.org database that keeps track of such events.

In perhaps the most notorious case last year, the U.S. Veterans Administration lost a USB hard drive and a laptop with more than 26 million records. Fortunately it was recovered, apparently without any data having been accessed.

Some companies are repeat offenders. Boeing Corp. has had three notable laptop losses over the past several years, with each machine carrying critical personal information. This happened despite a corporate policy to not place sensitive information on a laptop without some form of encryption. The last loss caused the employee to lose more than his data; he was fired for violating company policy.Protecting Mobile Drives

The easiest solution is to not leave any personal information on any mobile device or USB disk, says privacy expert Robert Ellis Smith. "I am surprised that so many organizations are so permissive about allowing personal data on mobile media. It should be the exception rather the rule. It seems fairly obvious to me, whether or not you have an IT staff." Smith maintains his own "laptop hall of shame" list about the most egregious incidents over the past year:

Smith takes privacy so seriously that, if he owned a laptop, he says, "I wouldn't put personal data on it or any other mobile media. Projects that involve this sort of data should be done in the office and not in a hotel room."

Apart from enforcing this ban on personal mobile data, there are several alternatives that corporate IT managers can take. One involves physical security devices, sold by Kensington and other companies, that lock the laptop or desktop to something more difficult to remove. Every PC sold for the last decade has a receptacle that fits these devices and, while it's possible to cut the cable or damage the case to remove the PC, at least it keeps the most opportunistic thieves from temptation.

"Most of the time the thief is only interested in the computer, not its data," says Smith. "They just want to fence the hardware."But that just takes care of the physical security of the PC itself. There are several choices to protect the actual files themselves.

One alternative is to store all data on a U3 smart drive, an emerging standard for USB flash drives that includes built-in password protection. The drives come with a variety of software that can replicate many things from a user's desktop (provided the user is running Windows, because the U3 programs don't run on Macs), and include password protection for the entire drive's contents. For example, Sandisk makes U3 models of varying sizes under the brand Cruzer Titanium.

Another choice is one of the USB drives that have built-in fingerprint scanners, made by Index Security and other vendors. However, the fingerprint scanners are somewhat temperamental and cumbersome to use. A better choice would be to enable the fingerprint scanners that are built into newer laptops from Lenovo and other manufacturers. Users can tie all of their Web site passwords and network logins to their fingerprint, although the software is somewhat difficult to set up.

The problem with both the freeware utilities and the U3 USB drives is that they both use a simple password to protect the data, and, if someone wants that data badly enough, these passwords can be broken. "Anything you get for free is easy to crack," says Figueiredo.

An alternative is a service that Smith calls "auto destruct." If a laptop is lost or stolen, a special code is sent over the Internet which causes the data to be copied to a secure location of the user's choosing, and then obliterated from the PC. These solutions communicate over the Internet through software running in the background on the laptop, so the PC has to be online after it is stolen for this service to work. Several vendors offer these services, including MyLaptopGPS, ZTrace and CyberAngel Security. Vericept and also Computrace offer more complex tracking and protection schemes.Another option is to examine one of the newer disk drives that include built-in encryption devices. These drives, which have been announced by Seagate, Hitachi, and others, should be shipping by late spring. They will only work in the desktop or laptop that they are paired with and can't be read in another PC.

Encrypting Mobile Data

All of these methods have their weaknesses. A much better alternative is to use the strongest security mechanisms around -- such as the PGP public key encryption tools -- to secure the files to begin with, so that if a laptop or desktop is stolen the files can't be read by anyone else. However, encryption will take some effort on the part of an IT staff to support.

One way to start is by using the free version of PGPdisk or Another problem with many of the free products is that the extra steps needed to encrypt the files are a hassle. And the more work involved to maintain the encryption, the less likely users will stick with it over time. Eventually users take the path of least resistance and just save their files without any encryption, as Boeing is now painfully aware. Plus, the freeware PGPdisk product is back several versions in terms of features, compared with the current commercial version 9.5.

The most secure and easiest-to-use method is to purchase the most current version of PGP Whole Disk Encryption or PGP Desktop. Neither is very expensive: the Whole Disk product starts at $49 for an annual subscription and Desktop starts at $79 for professionals. The nice thing about both products is that they are available for both Windows and Mac users -- most of their competition just runs on Windows. Another plus over the freeware PGP products is that the commercial product can integrate with Windows logins, so the user doesn't have to do any additional steps to access their data.

"Once PGP Desktop is set up by our IT people, the users don't have to do anything. It can copy their network login credentials and use them as the encryption password, so end users don't have any extra steps to encrypt and decrypt their drives, nor do they have to remember yet another password. It loads before the operating system loads, so it is pretty child-proof," says Figueiredo.

The Desktop product has a bunch of useful tools in it, such as the ability to encrypt an entire hard disk or only removable media like USB flash drives. PGP Desktop also will encrypt AOL Instant Messenger conversations and e-mail messages.

Another advantage for using the commercial PGP products is that they offer a full range of products. "PGP is an industry standard, has a great name, and has been around for over 10 years. They also have a comprehensive range of products when it comes to encryption that allows for a wide variety of offerings for laptops, PDAs, e-mail, file servers, and FTP, and they support various platforms. You can buy whole disk encryption today and just buy add-on modules for e-mail encryption and the other solutions when the need arises. IT administrators at our clients' sites need to be trained only once, on one platform," says Figueiredo.Don't Wait For A Problem

With all of the various methods available to corporate IT staff, there's no time like the present to start protecting data with at least one of the solutions mentioned, rather than waiting for a situation to force their hands. "Privacy and data protection have always been an afterthought, causing expensive retrofitting later," Smith says. "But with enough bad publicity and court litigation, maybe corporations will stand up and take notice and start taking this issue seriously."

This story was updated Feb. 12.