How to Encrypt Client Data on Your Personal Device
Working from home presents a number of unique challenges in terms of data security. For one, many people's personal devices are entirely unprotected and are therefore vulnerable to cyberattacks. In the second article of a two-part series, expert Danny Severns explains how to encrypt files on a home computer and reviews why taking these steps is so crucial.
In my previous article on keeping data secure while working remotely, I covered steps to take to ensure your devices and those of your employees are protected from data breaches while everyone is working from home.
The next best practice to implement is data encryption. I recommend being thorough and encrypting any sensitive data on your home computer. Windows 10 Pro and Enterprise have a built-in encryption tool called Encrypting File System (EFS) that will encrypt individual files, folders, or an entire internal or external disk drive.
Unfortunately, there are some quirks with EFS that make it not the best encryption method to use. For one, it only works on NTFS-formatted drives. If an EFS-encrypted file is moved to a disk formatted with FAT32 or exFAT, or it is moved across a network or sent as an email attachment, it’s decrypted.
That being said, if those shortcomings haven’t dissuaded you from employing EFS, here is how to use it:
1. Open Windows File Explorer and navigate to the file or folder you want to encrypt
2. Right-click the file or folder you want to encrypt
3. In the dialog that appears, select Properties
4. On the General tab, click the Advanced button in the lower-right portion of the dialog screen
5. A dialog titled Advanced Attributes will pop up. Check the last box, which should read “Encrypt contents to secure data”
6. Click OK on the dialog to close it and click OK on the file or folder Properties dialog to close it
Microsoft Office files can be encrypted from within Office applications. To do so, click on File > Info > Protect Document. A dialog will display with five protection choices. Choose “Encrypt with Password.” Another dialog titled “Encrypt document” will display and ask for a password. After entering a password, it will ask you again to confirm the spelling. That is all there is to it. To remove an existing password, in the “Encrypt with Password” dialog, erase or blank-out the existing password and click OK. That will remove it.
Remember: When transferring files, if they are encrypted during transmission by a VPN, router, browser or transfer software, once they reach your computer, the files are decrypted and stored in whatever format they are in on the server. If client documents and other sensitive data are stored under one directory with sub-directories by client, for example, you may want to encrypt the entire top-level folder.
Also, set your browser to only use HTTPS, which is the secure protocol for the internet. Traffic sent and received by your browser when connected to another secure HTTPS website is encrypted over the internet and decrypted when stored on the receiving computer.
Encryption works based on a password or key. If you encrypt a file and send it to another person, you must provide them with the password or key for them to be able to decrypt and use the file. If the file is encrypted by Microsoft Office, it will ask you for the password and will then decrypt the file and display it. The important thing to remember is that if you forget or lose the password, you will not be able to access the file without the use of third-party software that claims their product can remove the password. Since Office 2007, Microsoft added 128-bit encryption, which makes it harder for the average user to bypass the password, but experts have cracked that level of encryption, so it is no longer considered unbreakable.
To be sure your documents are well protected, you may want to consider using a third-party encryption software product. There are many to choose from, and each has its own merits. A review of them is beyond the scope of this article but suffice to say that you can research the features and reviews and select the best one for your purpose. The U.S. government has settled on Advanced Encryption Standard (AES) as a standard, and I would recommend that the package you select supports AES. Most of those that use other algorithms still recommend AES as the best to use.
If you use a third-party package, be aware that after the software encrypts a file, the original file is still on your system in its original format. Therefore, to secure the file, you need to find and delete the original file once it has been encrypted. Another aspect to beware of are the cryptographic hash functions available that are still considered unbreakable. These are in the SHA-2 (Secure Hash Algorithm 2) family and consist of six hash functions with hash values that are 224, 256, 384 or 512 bits. They would be listed in the software specs as SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256. Therefore, you should select a software package that adheres to one or more (or better yet, all) of these standards. A very good free open-source encryption package that supports these standards and runs on Windows, MacOS and Linux is VeraCrypt. If you don’t mind paying for a package, I suggest AxCrypt and Eclypses.
After securing your Wi-Fi network and home computer and encrypting sensitive data stored on your system, you should also secure any other devices, such as your cell phone, tablet or laptop, that you use to access sensitive data residing on the firm’s server or client’s server or computer. Avoid browsing unknown and untrusted websites using your WFH device. If you need to do so or share your computer with children or others, consider buying another computing device and not connecting it to your work-related system. Keep it totally segregated, or as much as possible, to minimize exposure to sensitive data and/or stop malicious entry or control of your firm’s network.
While this might seem like a lot of steps to take, there are good reasons to go to the trouble of protecting sensitive data while working from home.
First, failure to do so could result in theft, tampering or destruction, causing significant harm to the firm’s client relationships and reputation. Second, approximately 25 states have laws that address data security for private businesses and require them to maintain "reasonable security procedures and practices" to protect all sensitive personal data they possess on citizens of the respective state. They require data be protected from being accessed, stolen, copied, destroyed, altered, unlawfully used without permission or disclosed to others, and, in some cases, retained in any form if the person has requested their data be deleted. Most statues do not expressly state what steps must be taken to meet the “reasonable” test, but certainly negligence and lack of diligence in protecting data while working from home would probably violate the “reasonable” standard.
The point is, protecting data while working from home is a serious matter with grave consequences in today’s business environment. It is no longer an issue left up to the discretion of each business or individual. Related to data protection, approximately half the states now have laws pertaining to data disposal. These laws govern how entities destroy or dispose of personal data and require businesses like yours to implement specific data protection procedures and practices.
Danny is a professional with a unique blend of skills and expertise combining Financial management, Software development, and Digital transformation and modernization. As a CPA, he has extensive experience in Auditing, Tax, and Consulting with clients of all sizes in a variety of industries. In private industry, he gained deep experience in...