[BreachExchange] Tools for protecting your clients’ information are all around you
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Mar 31 20:31:11 EDT 2016
http://www.accountingtoday.com/news/accounting-technology/simple-steps-to-data-security-77633-1.html
With all the stories in the news lately about data breaches, are your
clients calling you with concerns over their data? Even if they aren’t, it
should be an area you address, especially with the growing specter of
identity theft.
While we may store client files on encrypted drives or up in the cloud
where the are hopefully difficult for unauthorized people to get at, few of
us give much thought to other areas of vulnerability such as client portals
or even e-mails. With auto-fill widely enabled on e-mail accounts, it’s
almost a sure bet that at some point you either have sent or will
unintentionally send correspondence meant for one client to another with
the same first name.
And e-mail is a concern. Much of a client’s sensitive data, including their
Social Security number and other information that can lead to identity
theft, is often sent to you via e-mail. And, in the opposite direction, how
frequently do you return a document, such as a tax return in PDF format,
via e-mail? Even if a client uploads and downloads their files to and from
a client portal that you maintain especially for that purpose, a file,
document, or e-mail in plain text, regardless of the file extension, is
vulnerable.
In many cases, the answer to securing the information is either
password-locking an individual document, or encrypting a file or e-mail.
Fortunately, neither of those things is particularly difficult to do.
SIMPLE THINGS FIRST
If you have documents on a portal for your clients to download, it’s likely
that those documents can be password-protected. Documents created with
Microsoft Office applications, including Word and Excel, as well as some
Adobe PDF documents, are easily password-secured.
With an Office file, under the File menu, select the “Info” tab. This will
display three buttons. The top of the three is labeled “Protect Document,”
and if you click on the button, you are presented with several more
choices. Select “Encrypt with Password” and a screen will come up asking
you for the password to use in encrypting the document. The screen also
advises you to keep a list of passwords, since once the document has been
encrypted, it can’t be decrypted without the proper password.
Of course, you can have the client e-mail you the password to use, which
increases the security a bit. Just don’t have them hit “Reply” when you ask
them for a password. A better way to handle it is for them to just enter
the password they want you to use for encryption in the header of a
separate e-mail, or to text it to you.
Unfortunately, encrypting a PDF isn’t always as easy. You can’t do it with
Adobe Reader, but it is easy if you have Adobe Acrobat. Under Acrobat’s
File menu, there’s a selection labeled “Properties.” Clicking on this gives
you a tabbed “Document Properties” folder. The second tab on this is
labeled “Security,” and when you select this tab you’ll see a Security
Method dropdown. Select “Password Security” and you’ll be asked for a
password to encrypt and decrypt the PDF.
Other PDF applications may or may not have their own security methods. For
example, Nuance PaperPort Professional 14 has a lock icon that applies
password protection to a selected document, though other versions of
PaperPort, such as the ones you often receive with the purchase of a
multi-function printer, don’t provide this feature.
Apple’s Mac OS also allows you to password-protect a PDF. Using the Preview
utility, right-click and choose File, Export, and Encrypt, and you will be
asked to select a password.
DIVING DEEPER
Document encryption is a good technique to use when you have a client
portal and wish to protect individual files. There are several other
scenarios where security is useful or possibly necessary. These are when
there are large amounts of data that have to be secured, or when e-mails
are sensitive.
Various versions of Windows have a built-in disk encryption feature called
BitLocker, which encrypts an entire drive. There are also utilities that
you can purchase, or open-source utilities, such as VeraCrypt and
TrueCrypt, that can be downloaded for free, that do a similar job of
encryption. You can also purchase self-encrypting drives where the drive’s
onboard controller encrypts and decrypts the drive’s contents in real-time.
These are available from drive manufacturers such as Seagate.
Encrypting entire drives isn’t always a great idea, since if the disk
controller that does the encrypting and decrypting fails, the data is
almost always unrecoverable. If you do have a huge volume of client files
that you need to deliver securely, consider an external hard drive or thumb
drive with encryption capability. Apricorn is just one vendor of these, and
they make both hard drive and thumb drive versions. Both have a keypad
where you can enter a numeric encryption password to encode the data you
are writing onto the drive. The client then enters the same password to
read the drive and transfers the files onto their own media. This approach
works best when it’s used sparingly, since the device itself has to be
physically delivered to the client either in person or by a delivery
service.
Encrypting an entire drive isn’t your only option. You can encrypt, rather
than password-protect, individual files as well. AxCrypt is an easy-to-use
file encryption utility, and 7Zip, which is a file archive utility similar
to WinZip, has an option to encrypt files as well as archive them.
You can also use a service to transfer files securely. Symantec and other
vendors offer secure e-mail and file transmission services. Another secure
method for transferring individual or multiple files is Dropbox. While it
appears that Dropbox operates in clear text mode, it is actually encrypting
the files you are uploading and those your client is downloading through an
encrypted SSL/TLS (Secure Socket Layer/ Transport Layer Security) tunnel
using 128-bit encryption. This is indicated by the URL showing HTTPS rather
than just HTTP.
The files and folders themselves are stored by Dropbox in encrypted format
using 256-bit AES encryption. You can add additional security to your
Dropbox account by setting up (and having your client set up) dual-factor
sign-ins. You’ve seen these before. They use a password, and then present
you with a security question like, “What is your dog’s middle name?”
THE INFO IS IN THE E-MAIL
E-mail is another big security problem, since e-mails back and forth to and
from your clients frequently contain sensitive material. This vulnerability
extends to your portable devices as well. In fact, mobile devices such as
smartphones and tablets present even more of a threat to security than
desktop computers, as they are more likely to be lost or stolen.
Step one is, if at all possible, to delete any e-mails that contain
sensitive information as soon as possible. Then make sure to manage your
e-mails — use secure storage and delete any old e-mails that might contain
confidential, sensitive or client information. You might also consider
services like Symantec’s Enterprise Vault that offer storage of your
e-mails and which address both security and compliance concerns.
Encrypting your (and your clients’) e-mails is another approach. There are
add-in extensions to most mail clients that incorporate PGP (Pretty Good
Privacy) and other public key encryption. Using public key encryption means
that you have a public key (a combination of numbers and letters) that you
give to your clients for them to use in encrypting their communications to
you, and a private key which you apply against the encrypted communication
to decode it.
Using public key encryption isn’t hard, but getting started and set up for
it is more complicated than can be covered here. For example, Outlook has
an encryption option built in. But before you can use it, you and your
clients need to obtain digital certificates that contain a generated public
key. There are organizations that provide this as a service. Then, before
you can use this encryption approach, you and your clients need to exchange
a digitally signed message, which enables each of you to add the other
person’s certificate to your contacts. Once you and your clients have
shared certificates, sending and viewing encrypted e-mail messages is the
same as with any other e-mail message.
In reality, it’s easier for most users to use password-protected or
encrypted documents or files containing the sensitive data. That way, the
message header can be in plain text with the body of the message in plain
text as well, such as, “Here is the data you supplied for your tax return.
Please examine it for accuracy and let me know of any changes.” Then put
the actual data in a Word or PDF document, password-protect or encrypt it,
and attach it to the e-mail. That way, if the e-mail is intercepted or
winds up in the wrong hands, the actual data is unreadable without knowing
the password.
And don’t forget the most obvious — auto-fill. Take a moment to verify that
the e-mail you’re sending is actually addressed to the right recipient.
Even if e-mail auto-fill failure hasn’t happened to you yet, it’s an almost
certainty that it will at some point in the future. If at all possible,
it’s a good idea to turn this feature off if your e-mail client allows you
to do so.
THE LAST WORD — SEPARATION
One mistake that users of password protection or encryption often make is
to send the password or encryption key in a separate e-mail. According to
Steven Ursillo, CPA, CITP, co-chair of the IMTA’s cybersecurity task force,
this is likely a mistake. If someone can intercept the e-mail containing
the encrypted document or encrypted e-mail, they can also intercept the
e-mail containing the password or decryption key, both of which are almost
always sent in plain text.
Ursillo recommends what he describes as dual-band transmission. If you’re
sending a document or e-mail that needs an encryption key, send these by
whatever e-mail client or service you use. Then, use a completely different
method of transmitting the password or key. This can be in the form of a
text message to your client’s cell phone, or even something as simple as
calling them and reading off the password or key. Having both methods of
transmission monitored or intercepted is highly unlikely.
IS ENOUGH, ENOUGH?
Just how far you go in implementing a secure way of protecting your
clients’ files is going to depend on how sensitive those files are, and how
far both you and the client are willing to go to carry out that protection.
Just as with physical security incorporating alarms, electronic door locks
and security cameras, there is no such thing as perfect security. The final
objective of any security system, whether it’s as simple as physically
sitting down with the client and passing them an envelope with their
documents, or springing for a security appliance or online secure
transmission service, is to make it difficult enough for someone to break
the security that they don’t bother trying.
Exactly how much is enough is something that you and your firm’s clients
are going to have to work out. Once you’ve come to an agreement or
understanding, implementing the approach should be the simplest part of the
process.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160331/8f3f0070/attachment-0001.html>
More information about the BreachExchange
mailing list