As data theft becomes more prevalent, encryption — transforming data into a code that no one else can read without a password — becomes increasingly important.

So, you will want to make sure that your office is applying the latest encryption software. Fortunately, there is a new generation of relatively inexpensive encryption technology designed to protect a wide range of digital information.

The ideal encryption solution will address servers, desktops, laptops, phones and the transmission of data between different parties.

It’s common to use encryption on computers, such as laptops, that leave the office. But there are other places that are equally worth protecting, particularly when it comes to highly sensitive information such as personal financial data.

For example, servers (many of which reside on the premises in smaller businesses) often store their data unencrypted, and many data breaches involve thefts of computers from offices. It’s a rare server that encrypts data automatically, although that is changing.

This past October, some disc-drive vendors, led by Seagate Technology LLC of Scotts Valley, Calif., formed an alliance to begin building encryption tools directly into hard drives. That would allow servers to encrypt data whenever anything was written to the disc. But until such technology is widely available, financial services companies need other options.

NetShare encryption software, from Palo Alto, Calif.-based PGP Corp., is designed to encrypt files stored on servers within small businesses. It can automatically encrypt files on a server without affecting users, says PGP. It can also be used along with its other product, PGP Universal Server, which helps to automate encryption options based on policies set by the organization, says John Dasher, PGP’s director of product management.

BUSINESS TO CUSTOMER

PGP also offers a Web-based mailing system to prevent sensitive messages being intercepted in transit. It stores encrypted messages on a secure server. Recipients are notified by e-mail that they have a message, and are given a Web address to use to retrieve it.

“We also created a procedure for the financial services companies that need to encrypt business-to-customer communications,” Dasher says. That solution would be useful for companies wanting to send financial statements to customers without expecting a reply. “My e-mail is converted and encrypted on the server; you’d get a mail with an encrypted PDF, [which] would launch your PDF reader, ask you for your password, then give you access to your information.”

The universal server product also manages the other offerings from PGP, which include whole-disc encryption on desktop and laptop PCs — an important security measure to protect against office thefts and to protect data on lost or stolen laptops.

Whole-disc encryption does have one flaw, however. Once you’re logged in, the data is accessible to anyone. People who step away from their computers at work or in the coffee bar risk having their information stolen by quick-witted bystanders. A USB memory stick slipped into an available port can easily suck gigabytes of information from a laptop in seconds. And if, like many, you slip a laptop into your bag in sleep mode without setting it to ask for a password when the lid is opened, it will be an open book to anyone who finds it.

“People are concerned about security around the endpoint,” says Guy Bunker, who is responsible for technical strategies in the security and data management group at the Reading, Britain, office of software firm Symantec Corp.

As well, some versions of Mi-cro-soft Inc.’s Vista operating system come with a feature called BitLocker, which automatically encrypts data written to a disc. There is a key disadvantage to this system, as well, in that it encrypts data only on the primary volume. Many hard drives have more than one volume (represented by drive letters such as c:, d: and e:), and users aren’t always good at remembering to store their data in specific locations, Bunker warns.

Frankfurt, Germany-based Steganos GmbH offers file-and-folder level encryption, allowing users to protect just their sensitive data, not the whole drive. “The real reason we think file-and-folder encryption is the more competent solution,” says CEO Aston Fallen, “is that it takes that extra step.”

AUTOMATIC ENCRYPTION

The product uses its own interface to encrypt and decrypt the information, which, Fallen says, has the added benefit of hiding the fact that encrypted files are even there. Users have to open the program to see the files on the drive before they can be encrypted.

@page_break@Such products carry a natural downside, which is that non-technical users don’t always do what they’re supposed to do. Busy financial advisors simply want to get their work done, and it’s easy to forget on the way out to a meeting.

There is another, more serious problem with many encryption products on the market today that could also be exploited if computer users aren’t diligent. At the recent CanSecWest security conference in Vancouver, researchers demonstrated a “cold boot” attack. It uses the fact that a computer’s memory retains information for a time after it is switched off. Researchers inserted a USB memory stick into rebooted computers and dumped the memory — including passwords for sensitive encrypted data — on the memory stick for later retrieval. Computers left in “sleep” mode are particularly vulnerable to this tactic. The best way to protect against such attacks is to turn the computer off entirely when stepping away or travelling with it. But how many users are apt to do that?

Cellphones and PDAs are also vulnerable. Check Point Software Technologies Ltd. of Tel Aviv offers a solution that encrypts the flash discs or other media rather than encrypting the device itself, says Kellman Meghu, the firm’s Canadian security engineering manager in Mississauga, Ont.: “I have a four-gigabyte card sitting in my phone. That could store a lot of company data.”

Check Point also offers a product that forces data to be encrypted when being written to removable media. That might have prevented the fiasco that occurred this past October, when a junior British customs official dumped the personal details of 25 million people onto CDs that were lost in the mail. IE