With all the stories in the news lately about data breaches, are your clients calling you with concerns over their data? Even if they aren’t, it should be an area you address, especially with the growing specter of identity theft.
While we may store client files on encrypted drives or up in the cloud where the are hopefully difficult for unauthorized people to get at, few of us give much thought to other areas of vulnerability such as client portals or even e-mails. With auto-fill widely enabled on e-mail accounts, it’s almost a sure bet that at some point you either have sent or will unintentionally send correspondence meant for one client to another with the same first name.
And e-mail is a concern. Much of a client’s sensitive data, including their Social Security number and other information that can lead to identity theft, is often sent to you via e-mail. And, in the opposite direction, how frequently do you return a document, such as a tax return in PDF format, via e-mail? Even if a client uploads and downloads their files to and from a client portal that you maintain especially for that purpose, a file, document, or e-mail in plain text, regardless of the file extension, is vulnerable.
In many cases, the answer to securing the information is either password-locking an individual document, or encrypting a file or e-mail. Fortunately, neither of those things is particularly difficult to do.
SIMPLE THINGS FIRST
If you have documents on a portal for your clients to download, it’s likely that those documents can be password-protected. Documents created with Microsoft Office applications, including Word and Excel, as well as some Adobe PDF documents, are easily password-secured.
With an Office file, under the File menu, select the “Info” tab. This will display three buttons. The top of the three is labeled “Protect Document,” and if you click on the button, you are presented with several more choices. Select “Encrypt with Password” and a screen will come up asking you for the password to use in encrypting the document. The screen also advises you to keep a list of passwords, since once the document has been encrypted, it can’t be decrypted without the proper password.
Of course, you can have the client e-mail you the password to use, which increases the security a bit. Just don’t have them hit “Reply” when you ask them for a password. A better way to handle it is for them to just enter the password they want you to use for encryption in the header of a separate e-mail, or to text it to you.
Unfortunately, encrypting a PDF isn’t always as easy. You can’t do it with Adobe Reader, but it is easy if you have Adobe Acrobat. Under Acrobat’s File menu, there’s a selection labeled “Properties.” Clicking on this gives you a tabbed “Document Properties” folder. The second tab on this is labeled “Security,” and when you select this tab you’ll see a Security Method dropdown. Select “Password Security” and you’ll be asked for a password to encrypt and decrypt the PDF.
Other PDF applications may or may not have their own security methods. For example, Nuance PaperPort Professional 14 has a lock icon that applies password protection to a selected document, though other versions of PaperPort, such as the ones you often receive with the purchase of a multi-function printer, don’t provide this feature.
Apple’s Mac OS also allows you to password-protect a PDF. Using the Preview utility, right-click and choose File, Export, and Encrypt, and you will be asked to select a password.
DIVING DEEPER
Document encryption is a good technique to use when you have a client portal and wish to protect individual files. There are several other scenarios where security is useful or possibly necessary. These are when there are large amounts of data that have to be secured, or when e-mails are sensitive.
Various versions of Windows have a built-in disk encryption feature called BitLocker, which encrypts an entire drive. There are also utilities that you can purchase, or open-source utilities, such as VeraCrypt and TrueCrypt, that can be downloaded for free, that do a similar job of encryption. You can also purchase self-encrypting drives where the drive’s onboard controller encrypts and decrypts the drive’s contents in real-time. These are available from drive manufacturers such as Seagate.
Encrypting entire drives isn’t always a great idea, since if the disk controller that does the encrypting and decrypting fails, the data is almost always unrecoverable. If you do have a huge volume of client files that you need to deliver securely, consider an external hard drive or thumb drive with encryption capability. Apricorn is just one vendor of these, and they make both hard drive and thumb drive versions. Both have a keypad where you can enter a numeric encryption password to encode the data you are writing onto the drive. The client then enters the same password to read the drive and transfers the files onto their own media. This approach works best when it’s used sparingly, since the device itself has to be physically delivered to the client either in person or by a delivery service.
Encrypting an entire drive isn’t your only option. You can encrypt, rather than password-protect, individual files as well. AxCrypt is an easy-to-use file encryption utility, and 7Zip, which is a file archive utility similar to WinZip, has an option to encrypt files as well as archive them.
You can also use a service to transfer files securely. Symantec and other vendors offer secure e-mail and file transmission services. Another secure method for transferring individual or multiple files is Dropbox. While it appears that Dropbox operates in clear text mode, it is actually encrypting the files you are uploading and those your client is downloading through an encrypted SSL/TLS (Secure Socket Layer/ Transport Layer Security) tunnel using 128-bit encryption. This is indicated by the URL showing HTTPS rather than just HTTP.
The files and folders themselves are stored by Dropbox in encrypted format using 256-bit AES encryption. You can add additional security to your Dropbox account by setting up (and having your client set up) dual-factor sign-ins. You’ve seen these before. They use a password, and then present you with a security question like, “What is your dog’s middle name?”
THE INFO IS IN THE E-MAIL
E-mail is another big security problem, since e-mails back and forth to and from your clients frequently contain sensitive material. This vulnerability extends to your portable devices as well. In fact, mobile devices such as smartphones and tablets present even more of a threat to security than desktop computers, as they are more likely to be lost or stolen.
Step one is, if at all possible, to delete any e-mails that contain sensitive information as soon as possible. Then make sure to manage your e-mails — use secure storage and delete any old e-mails that might contain confidential, sensitive or client information. You might also consider services like Symantec’s Enterprise Vault that offer storage of your e-mails and which address both security and compliance concerns.
Encrypting your (and your clients’) e-mails is another approach. There are add-in extensions to most mail clients that incorporate PGP (Pretty Good Privacy) and other public key encryption. Using public key encryption means that you have a public key (a combination of numbers and letters) that you give to your clients for them to use in encrypting their communications to you, and a private key which you apply against the encrypted communication to decode it.
Using public key encryption isn’t hard, but getting started and set up for it is more complicated than can be covered here. For example, Outlook has an encryption option built in. But before you can use it, you and your clients need to obtain digital certificates that contain a generated public key. There are organizations that provide this as a service. Then, before you can use this encryption approach, you and your clients need to exchange a digitally signed message, which enables each of you to add the other person’s certificate to your contacts. Once you and your clients have shared certificates, sending and viewing encrypted e-mail messages is the same as with any other e-mail message.
In reality, it’s easier for most users to use password-protected or encrypted documents or files containing the sensitive data. That way, the message header can be in plain text with the body of the message in plain text as well, such as, “Here is the data you supplied for your tax return. Please examine it for accuracy and let me know of any changes.” Then put the actual data in a Word or PDF document, password-protect or encrypt it, and attach it to the e-mail. That way, if the e-mail is intercepted or winds up in the wrong hands, the actual data is unreadable without knowing the password.
And don’t forget the most obvious — auto-fill. Take a moment to verify that the e-mail you’re sending is actually addressed to the right recipient. Even if e-mail auto-fill failure hasn’t happened to you yet, it’s an almost certainty that it will at some point in the future. If at all possible, it’s a good idea to turn this feature off if your e-mail client allows you to do so.
THE LAST WORD — SEPARATION
One mistake that users of password protection or encryption often make is to send the password or encryption key in a separate e-mail. According to Steven Ursillo, CPA, CITP, co-chair of the IMTA’s cybersecurity task force, this is likely a mistake. If someone can intercept the e-mail containing the encrypted document or encrypted e-mail, they can also intercept the e-mail containing the password or decryption key, both of which are almost always sent in plain text.
Ursillo recommends what he describes as dual-band transmission. If you’re sending a document or e-mail that needs an encryption key, send these by whatever e-mail client or service you use. Then, use a completely different method of transmitting the password or key. This can be in the form of a text message to your client’s cell phone, or even something as simple as calling them and reading off the password or key. Having both methods of transmission monitored or intercepted is highly unlikely.
IS ENOUGH, ENOUGH?
Just how far you go in implementing a secure way of protecting your clients’ files is going to depend on how sensitive those files are, and how far both you and the client are willing to go to carry out that protection. Just as with physical security incorporating alarms, electronic door locks and security cameras, there is no such thing as perfect security. The final objective of any security system, whether it’s as simple as physically sitting down with the client and passing them an envelope with their documents, or springing for a security appliance or online secure transmission service, is to make it difficult enough for someone to break the security that they don’t bother trying.
Exactly how much is enough is something that you and your firm’s clients are going to have to work out. Once you’ve come to an agreement or understanding, implementing the approach should be the simplest part of the process.
