For many people, the word “encryption” invokes images of spies, clandestine operations and World War II, or NSA code breakers feverishly working to decipher enemy messages. Actually, encryption is a priceless security tool that any business can easily use to keep sensitive information confidential and safe from prying eyes.

Unfortunately, many businesses fail to take advantage of encryption technology, fearing that it’s ‘too complex’ and ‘difficult to use’ on a routine basis. In reality, encrypting vital data isn’t much more difficult than running a virus scanner or a data-backup program. Here’s how to get started.

The Basics

There are two basic ways to encrypt data. One approach is to use asymmetric PKI (public-key infrastructure) encryption. PKI cryptography is based on a pair of cryptographic keys: One is private and known only to the user, while the other is public and known to the opposite party in any exchange.

PKI technology provides privacy and confidentiality, access control, proof of document transmission, and document archiving and retrieval support. While most security vendors currently incorporate some type of PKI technology into their software, differences in design and implementation prevent interoperability between products.

The other method of encrypting data is symmetric key protection, also known as “secret-key” encryption. Generally speedier yet less secure than PKI, symmetric encryption uses the same key to both encrypt and decrypt messages. Symmetric technology works best when key distribution is restricted to a limited number of trusted individuals. Since symmetric encryption can be fairly easy to break, it’s primarily used for safeguarding relatively unimportant information or material that only has to be protected for a short period of time.

Applying Encryption

The easiest way to use encryption is to purchase a business application or a hardware product that incorporates some form of encryption technology. Microsoft’s Outlook or Outlook Express email client, for example, provides built-in encryption support. Meanwhile, vendors such as Seagate Technology LLC and Hitachi Ltd. have started incorporating encryption technology into their hard drives.

Since most software applications and hardware products don’t include any type of internal encryption technology, business owners and managers need to look for stand-alone encryption products. This can be a confusing process, one that’s best approached by first determining the business’s precise security requirements, then finding an encryption product that fits each need.

Microsoft Vista Enterprise and Ultimate users can take advantage of BitLocker Drive Encryption, a full disk tool that offers powerful 1024-bit encryption. Another Windows offering is EFS (Encrypting File System), which uses symmetrical PKI technology to provide file encryption.

Beyond Microsoft, leading encryption vendors and products include PGP, free – open-source TrueCrypt, DESlock+, Namo FileLock and T3 Basic Security.

What to Encypt

So how do you know what to encrypt? Here are some places to start:

• Hard Drives: A business may choose to encrypt entire hard drives as a way to reduce or eliminate data theft.
• Individual Files: In cases where full disk encryption is overkill, file-by-file encryption provides added security on an “as-needed” basis. Many leading encryption products offer drag-and-drop encryption capabilities.
• Laptops: Unlike office systems, laptops are easy to lose and are prone to casual theft. By ensuring that the system’s data content is unreadable, a business can limit its loss to the cost of the laptop. A growing number of government regulators and insurance companies are demanding that businesses encrypt any data that leaves their premises and over 5000 Laptops were left in the back of a taxi cab last year.
• Removable Media: Memory sticks, thumb drives and similar portable storage technologies provide portability, convenience, and an opportunity for data loss and theft. As with laptops, encryption limits a business’s loss to the cost of the device itself. A growing number of removable-media devices come with built-in encryption support.
• File Transfers: Sending files over unsecured wired or wireless links can expose sensitive information to data thieves. Encryption provides an additional layer of security, even when a secured network is used.
• Email: Encrypted email is kept secure during the transmission process and while sitting in its recipient’s mailbox.
• IM (Instant Messaging): A growing number of businesses are using IM to swap confidential business information. Encryption helps secure these critical transmissions.

Encryption’s Limitations

Like any technology, encryption software isn’t perfect. Even the best products consume both processor speed and storage space. Users can also lose or forget passwords, thereby potentially locking systems forever.

Before purchasing any encryption tool, carefully research the product. Make sure that the offering addresses your company’s needs, is compatible with your systems and has a good track record concerning reliability and support. If possible, check with your friends and colleagues for their opinions on various encryption tools.

Lastly, if you do use any of the products available for encryption, including Windows EFS, please remember to backup and store your public and private keys. If not, you will probably lose your data.

Data theft is, quite simply, the unauthorised copying or removal of confidential information from a business or other large enterprise. It can take the form of ID-related theft (the theft of customer records) or the theft of a company’s proprietary information or intellectual property.

ID Data Theft

ID-related data theft occurs when customer records are stolen or illegally copied. The information stolen typically includes customers’ names, addresses, phone numbers, usernames, passwords and PINs, account and credit card numbers, and, in some instances, Social Security numbers. When transmitted or sold to lower-level criminals, this information can be used to commit all manner of identity fraud.

A single data theft can affect large numbers of individual victims. There are many examples to cite.

Let’s start here in England. In January, 2008, two laptop PCs were stolen from Brent’s Central Middlesex Hospital. Each laptop contained hundreds of confidential patient records. Not a large theft (389 records in all), but one particularly disconcerting to the patients whose personal data were compromised.

Then there was the case of the Wilkes-Barre driver’s license centre in Hanover, PA, which was broken into in late November, 2006. In addition to assorted office supplies and materials, the thief got away with a computer containing driver’s license information for more than 11,000 citizens.

Not even those companies charged with keeping our data safe are immune from data theft. For example, ChoicePoint, Inc., is a company that collects personal and financial information on millions of computers. In February, 2005, ChoicePoint reported that it had suffered a security breach and inadvertently sold personal information on 145,000 people to a criminal enterprise. Oops!

A much larger theft occurred in October, 2007, when the financial institution GE Money discovered that a computer tape containing information on 650,000 J.C. Penney customers had gone missing. Although not yet officially confirmed as a theft (it was just “missing”), the tape in question included more than 150,000 Social Security numbers.

Retailers store a lot of valuable data about their customers, which makes them a prime target of data thieves. Thus the story of shoe retailer DSW, which in June, 2005, had 1.4 million customer records stolen. Among those customers affected was then-FTC chairwoman Deborah Platt Majoras—a nice little irony for those that care.

Of course, data theft isn’t limited to the retail sector. Witness the U.S. Department of Veterans Affairs, which had the home of one of its employees burglarized in May of 2006. Stolen in the burglary was a laptop computer and external disk drive that contained the Social Security numbers of about 26.5 million veterans. That was a big breach—but the story has a happy ending. Thanks to some excellent police work, the hard drive was eventually recovered; it was later determined that the sensitive data had not been accessed.

An even bigger breach was the June, 2005, “security incident” reported by Atlanta-based payment processor CardSystems Solutions. The company handles payments for all the major credit cards, including MasterCard, Visa, American Express, and Discover. Intruders used malicious software code to breach the company’s systems, exposing more than 40 million credit card accounts to potential fraud. Fortunately, only about 200,000 of these accounts were found to be actually stolen, but the FBI was still called in to investigate.

But all these incidents pale compared to the largest reported case of data theft on record. In December, 2006, the TJX Companies (parent to T.J. Maxx, Marshalls, and other retailers) reported a massive computer breach on that part of its network that handles credit card, debit card, check, and merchandise transactions. It appears that hackers made off with more than 94 million records from customers in the U.S. and abroad.

Take a look at that last case again. A single data theft compromised the identities of an estimated 94 million individuals. That’s just an incredible number—and indicative of the impact of this type of computer crime.

NOTE: For what it’s worth, TJX disputes the 94 million number, which comes from a group of banks suing the company over the breach. The company says that only 45.7 million records were stolen—which is still a very big deal.

Non-ID Data Theft

Customers’ records aren’t the only kind of data that can be stolen from a large organization. Companies of all sorts are hosts to various types of confidential information; this information, if accessed by a competitor, could often lead to a diminishment of the company’s position in the marketplace.

Non-ID data theft occurs when an employee makes one or more copies of a company’s confidential information, and then uses that information either for his own personal use or transmits that information to a competitor for the competitor’s use. However it’s done, this is a theft of the business’ intellectual property, every bit as harmful as a theft of money or equipment.

What kind of information are we talking about? A company’s confidential information includes its employee records, contracts with other firms, financial reports, marketing plans, new product specifications, and so on. Imagine you’re a competitor who gets hold of a company’s plans for an upcoming product launch; with knowledge beforehand, you can create your own counter-launch to blunt the impact of the other company’s new product. A little inside information can be extremely valuable—and damaging for the company from which it was stolen.

NOTE: One notable example of non-ID theft occurred in 2006, when three Coca-Cola employees attempted to steal the secret formula for Coke. They tried to sell the trade secret to rival PepsiCo; unfortunately for them, Pepsi contacted Coca-Cola management, who alerted the FBI. The Feds used this information to conduct a sting operation that landed all three culprits in the big house.