How to Protect Sensitive Files: A Guide to Passwords & Encryption

Do you work with sensitive client data? Have you signed an NDA requiring you to secure clients’ information? Here’s how to properly secure your computer and safeguard the intellectual property entrusted to you.

You’ve started freelancing or consulting, and all of a sudden you find yourself signing a non-disclosure agreement (NDA) with some very scary verbiage about the financial and legal repercussions you will endure if you release (intentionally or not) the intellectual property (IP) and other proprietary information your client will entrust to you. Yikes!

But you’re new to working for yourself, and there’s a lot of overlap between your professional and personal space—physically and digitally. You use your personal laptop for everything, and you’ve never really given this question of security much thought. But now you (prudently) ask yourself: How much security do I need for client files? A password? Full-disk encryption? Something in between? (And no, highly secure cloud storage is not the answer on most freelancers’ budgets—HIPAA-compliant cloud storage, for example, comes at a steep premium.)

All good questions. Read on for a really simple guide to the practical options available to most freelancers, consultants, and solopreneurs.

How Easy Is It to Steal Your Stuff?

The first thing to realize is that your laptop’s hard drive is super easy to access, even if you have your laptop password protected. For under $10, anyone can buy a case with USB connection that allows them to access that hard drive they’ve liberated from your laptop with the click of a mouse. (I can get a password-protected hard drive out of a sealed laptop, access its files, and copy its contents—completely readable/accessible/usable—onto another computer in under 5 minutes.) This means that, if your laptop is lost or stolen, that password protection you set up is actually pretty worthless.

The second thing to realize is that a zero-day (that is, brand new) bug can access or corrupt unencrypted files on a drive before you even know you have a problem. Self-employed professionals typically have okay-to-good virus protection on their laptops, when they should have great-to-excellent protection on all their devices. But they don’t, which leaves them vulnerable to malware working in real time.

But I Used a Password!

A password and $6 will get you a latte, but not much more. Here’s the rundown on passwords and the general extent of their protection:

    1. Operating system password (e.g., Windows password): When your machine boots and you are asked for your password, that is likely an operating system password. Your operating system won’t allow access without it, which is precisely the level of protection you need if you’re just trying to keep casual snoopers, like nosy roommates, out of your business. That’s it, though. If your laptop is stolen and the hard drive removed, the files on your hard drive are unprotected.
    2. BIOS password: If you can’t boot up your computer without entering a password, it’s likely your system has a BIOS password. But, just as with the operating system password, your hard drive is not protected if it is removed from your computer.
    3. File password: In many systems, you can protect individual files with a password. This protection covers only the file, not the drive, and you must be sure to remember your password!
    4. Hard drive password: A password on your hard drive will protect your drive even if it is removed from your computer. The drive cannot be accessed without the password. However, beware that if you lose your password you cannot access your hard drive easily or at all.That being said, a hard drive password is not necessarily a secure solution. Depending on your configuration, your password may be stored in the firmware, and some firmware is less than bulletproof, providing a back door of sorts. Further, some programs can circumvent hard drive passwords.

So, What’s the Solution?

Encryption provides the best security. Many companies request their consultants use Microsoft’s BitLocker. I get questions all the time about BitLocker from consultants who are being asked to use it for the first time for a new client, but they can’t find it on their system. That’s usually because they are running their PC with the inexpensive Windows Home edition, not Windows Pro. Pro is an easy upgrade. (Work on a Macintosh? Lucky you. Lock that sucker up for free. FileVault is on your machine! Find information about how to turn it on and select your password recovery option here.)

The challenge with BitLocker is that it is a whole-disk solution. It protects data on your device, but if you want to share encrypted data, it’s not the optimal solution. Remember, data needs to be encrypted at rest and in motion, so if you use a VPN, the data will be encrypted in transit, but not on your device and not necessarily at its destination, which is why you need to encrypt files you wish to share, even if you use a VPN.

How to Select an Encryption Tool

When shopping for an encryption tool that fits your needs, consider these concerns:

    • File encryption or virtual drive encryption? Do you want a program that encrypts individual files/folders or creates a virtual drive that encrypts files upon locking?
    • Management of originals? Once you encrypt a document, will you conscientiously destroy the original—and do you know how? Files are retrievable even after deletion (read more here), so you may want to select a program that encrypts a file in place, rather than creating an encrypted duplicate file.
    • Encryption algorithm. The standard is AEs, and it’s likely just fine for your needs.
    • Decryption. If you are sharing encrypted files, the highest security level for consumer-accessible tools is PKI (public key infrastructure cryptography), but other sharing methods may be suitable for your needs, including self-decrypting executables and free decryption-only tools.

As with most tools, spend some time experimenting with an encryption tool during a free trial period, if one is available. Like a VPN, an encryption tool affects your workflow, so be sure you select one that works with your work style, your clients’ needs, and, of course, your budget.

PC Magazine review solid encryption tool options in The Best Encryption Software for 2020.

Photo by Markus Spiske on Unsplash