It seems like pretty much all we read about lately is the increasing number of data breaches and information hacks. When data resides on servers and computers we have no control over, there’s really not a lot to be done except hope that the agency that does have overwatch on those servers does their best to guard your personal data.

At the same time, you have an equal responsibility for the client data that you have stored on your PCs and servers. If you are processing client data in the cloud, and don’t have backup copies or electronic copies of the client’s source material on-site, there’s not much you can do security-wise. You have to trust that the vendor whose online application you are using has sufficient security to protect your client.

But if you process client data in-house, it’s a different story. Drives can become corrupted, you can contract a virus or be the victim of a ransomware attack, and hopefully you have this covered with a backup and recovery plan. But in most cases, the data is out there, available to anyone who can hack into your system from afar or even from on the premises. There are, however, a couple of solutions to this problem. Neither solution is perfect, but both do provide an extra layer of security.

As far as hacks, viruses, and ransomware, if an outsider can’t get at the data, they can’t steal or corrupt it. That means air-gapping the systems where data is processed or stored. An air-gap is simple — you just don’t connect the network to the outside world, i.e., the Internet. You can accomplish this in several ways:

1. Air gaps

One way to to have two separate network servers, one connected to the Internet, the other not. This is an expensive approach, and also requires that you have essentially two devices for each staff member who both needs Internet access as well as client access. A viable approach to this separation is to provide a PC for client data entry and access, and a tablet connected by Wi-Fi for Internet access. If you don’t want to maintain two different servers, you can create multiple separate networks using a single server, Windows Server OS, and two or more individual NICs (network interface cards) and network switches. Connect one NIC to a router and the internet, and use this network to provide Internet access, and connect a seperate Ethernet switch to the second NIC and hardwire each PC to this switch. You still need two sets of devices, and a skilled hacker can still breach the operating system network differences. Truthfully, an air-gap provides a high level of security, but it’s expensive and pretty complex to implement.

2. Encryption

Another approach is to encrypt the client data, and store it on media separate from the PC used to input and process the data. Encrypted storage devices are readily available, and not difficult to use. In the past, I’ve used Padlock devices from Apricorn with good results. More recently, I’ve switched to Kingston’s encrypted USB flash drives. The Data Traveler DT2000 is a flash drive with a tiny set of numeric keys, and is available in capacities varying from 4GB to 64GB. The model I use has 32GB, which is enough storage to contain several clients’ worth of information. This models sells for under $120 while the 64GB version is around $150, both of which are pretty cheap compared to air-gapping.

Using the USB drive is easy. The drive has a rechargeable battery and three LEDs to indicate the status as you use it. The instructions are almost unreadable on the packaging, so the first thing you have to do is download the manual, which is available online. Before you can use the drive, you have to change the PIN from its default, it can be from 7 to 15 digits long, and you are ready to go. The DT2000 is operating system independent, you can use it with Windows, MAC OS, Linux, and even Android. I like Kingston products and all of the PCs and NUCs (ultra small form-factor PCs) I’ve built over the past several years have Kingston RAM and SSDs in them.

Be aware, though, there is one significant problem when using encryption. If you forget the PIN, or the drive becomes corrupted, it’s very unlikely that you can recover the data, something that is often possible with an unencrypted drive. A workable solution is to mirror the data on a second encrypted drive and store the two drives in separate places — such as putting one in your pocket or laptop case when you leave for the day. If you have a lot of client data, this approach may not be practical, but you can scale it up to using a multiple set of encrypted and RAIDed NAS (network attached storage) drives using software encryption. This still leaves the problem of having the network connected to the outside world, though, so it’s far from a foolproof solution.

Client data security is one area where cost/benefit analysis really needs to be done. It’s impossible to provide perfect security, and the closer you come to it, the more expensive and complex the solution becomes. But you do owe your clients the best security that you can afford both in terms of money and time.

Ted Needleman

Ted Needleman

Ted Needleman has been covering technology for more than 30 years, writing frequently on software, hardware, and related subjects. He was previously editor-in-chief of Accounting Technology.