These days, most people take a lot of effort to protect the applications and data on their computers. They install hardware firewalls, software firewalls, anti-virus software, anti-spyware, pop-up blockers, spam filters, annonymizers, root-kit detectors — you name it; people have it. Every few days a new anti something-that-doesn’t-have-anti-yet comes out and people add it to their arsenal of must have software. Some people get so paranoid that they go overboard with the protection. Recently I met a guy who had four different anti-spyware programs on his computer, because someone told him that no anti-spyware catches all spyware. His computer was so slow that it barely crawled, but this guy was blissful in the belief that he had fortified his computer’s defenses. “Defense in Depth,” he said to me, repeating a phrase he undoubtedly heard from a system administrator.

While everyone seems to be aware of online threats to his computer and data, hardly anyone seems to be bothered about protecting their data offline. I recently received a letter, for example, from my wife’s retirement fund administrator saying that a representative had lost a laptop that may have contained my wife’s personal information. It went on to reassure us that the matter may not be as serious as you may think because

1. The laptop may just be lost as opposed to stolen, and if a good Samaritan found it, he may actually return it


2. Even if it was stolen, thieves are usually interested only in the expensive hardware; they would probably wipe the disk clean and reuse the computer or cannibalize it for its parts


3. Even if a really, really bad guy stole the computer, the data files were protected by




• A password for a login account


• Setting the hidden attribute

We don’t have to worry, it said, but should contact credit agencies, just to be safe.

I was dumb folded. Windows password and the hidden attribute? They must be kidding! Any self-respecting hacker would crack this “security” in minutes. Haven’t these people heard of encryption? Pig Latin, at the very least? What kind of jokers are we trusting our nest-eggs with?

Sadly, as computing gets increasingly mobile, such cases of data loss are on the rise. The only way to protect valuable data against loss or theft is the encrypt it. And yet, most corporate system administrators detest encryption because they dread being held hostage by disgruntled employees who could simply encrypt critical information and walk away.

Recently, Microsoft learned this lesson the hard way. They released an outstanding utility called My Private Folder. During its installation, you have to specify a password that you will use to access it. When installed, it puts an eponymous folder on your desktop. The folder has a picture of a little lock on it. When clicked, it asks for a password. You then enter the password you specified during installation and the folder opens. Then on, it behaves like any other folder. When you are done, just lock the folder and it becomes inaccessible without the password. All the information in the folder is encrypted. The encryption is very secure and has no back door. So if you forget the password, or worse, are unwilling to divulge it, the data in the folder is gone for good. It was the last part that most system administrators did not like. There was an outcry and Microsoft removed My Private Folder from its download page. (By the way, if you are interested in the utility, it is still available for download. Just Google for “My Private Folder” and you will find the links. But, for god’s sake, don’t forget the password!)

While the objection is certainly valid, letting people walk about with sensitive, unencrypted data on their laptops is certainly not an acceptable alternative. Small businesses typically have a less formal IT infrastructure than big companies, which makes their data even more vulnerable to prying eyes. They should seriously consider encryption to be an important part of their overall data protection strategy.

There are several encryption programs in the market, both in commercial and open source (free) versions. While free versions are fine in general, you won’t get support. Besides, you will have to pray that the folks who work on the product will keep on doing so in the future and release regular upgrades and patches. For business use, a commercial product is the preferred option. But keep in mind that there are several good, fee encryption programs.

Encryption programs come with many features. Some encrypt individual files and folders, others encrypt disk partitions and even entire disks. Some have a single password and simply warn you not to forget it. Others offer password hints, password recovery tools, and even backdoors. Some offer 128-bit encryption, others are “military strength”. You can find one you are comfortable with. Here are some that you can check out to begin your research:

Cryptainer (http://www.cypherix.com/)
MySecureDoc (http://www.mysecuredoc.com)
TrueCrypt (http://www.truecrypt.org)

Large companies usually have encryption policies (of course, employees often don’t follow them, and companies have to send out letters such as the one my wife received). Small businesses often don’t. Losing sensitive information can have serious financial and legal consequences. Take steps to avoid them.