'A company's most valuable asset is its data.'
Anybody who heads up a small company that doesn't have its own IT department will be familiar with this scene: A laptop rammed full of presentations, old projects, calculations, and customer data. At best, files are backed up randomly on dusty hard drives – where security is weak. The mere thought of managing and protecting our data puts us in a bad mood. Andrea Pfundmeier (29), co-founder of award-winning encryption start-up Secomba, provides useful tips for handling, saving, and protecting data.
On the one hand, constant surveillance scares many people. On the other hand, data protection is an inconvenience that we would much rather leave 'until tomorrow'. Why is data protection even important?
If I want to protect my data, the first question is always this: What is my threat scenario? If I want to protect myself against all the intelligence services out there, things start to get a little difficult for everyone. The question should actually be: Who do I still trust? If I entrust major providers like Google, Microsoft or Apple with my data, I don't need all that much protection. Maybe I would rather protect myself against a neighbour accessing my computer, or somebody hacking my WiFi. It's relatively easy to do that. But am I worried about the staff or the services themselves – does my email provider read my emails? Can my cloud provider access my backups? – then I have to consider the data-encryption option. In the case of a provider like Dropbox, I can synchronise my data with a cloud. Here I can decide how often automatic synchronisation takes place myself (once a day, once a week). The Boxcryptor software we have developed allows users to encrypt their data on their local computer before uploading it to a provider like Dropbox. If a hacker (or even somebody who works for the cloud service) were to attack Dropbox, my data would be encrypted and therefore protected against unauthorised access.
Encryption is something of a specialist subject. Do you have any simple tips for ensuring a basic level of protection?
Secure passwords are a big help. Ideally, I should have a different password for each service I use. I certainly shouldn't be using the same password for multiple services. Sticking to this rule already protects me against many types of attack. If somebody hacks my account on one website, there's no chance of them accessing my other accounts elsewhere using the same password. If I additionally encrypt certain data before uploading it to the internet, or encrypt certain channels of communication like my email correspondence with my lawyer, for example, I am actually protected against the majority of threats.
To be honest, nobody can remember several 16-digit passwords with umpteen special characters in them. Isn't there just one perfect password?
The perfect password doesn't exist, because if I use it everywhere and it gets found out one day, that's basically it! There are very secure passwords, however, that have enough letters, special characters, numbers and such like in the mix. Hackers find these very hard to crack. There are now some great 'password manager' services around. They can automatically generate secure access data for all the services I use and store them in an online 'safe'. But then I have to remember a password to get into this safe. For people who want even more security still, I recommend making a list and storing it in an actual safe at home. But this takes more time and effort than doing it online.
What are the classic mistakes of data protection?
In most instances it's passwords that are too weak or backup cycles that are too long. In the case of small or medium-size companies that don't have their own IT department, I can only recommend performing regular backups and making the entire computer secure, especially all the customer data and commercial data. Today it must be said that, whatever company it is, the data is the most valuable asset of all. Once the data has gone, there's really nothing left at all. So make regular backups, encrypt them, and save the data.
The cloud is an abstract construct. Our data gets sent 'some place or other'. How can we take the fear out of this?
Clouds are servers that are operated or rented by providers. They are installed in computer centres all over the world. I access them via the internet and let them handle my services. The more I understand how it all works, the less fear I will have. If I choose a provider here in Germany, it may make me feel better, because I know that my data will be secure here in Germany, and that the provider is bound by German law. In any case, people should ask themselves the following questions: What is the cloud? How can I use it? Which providers do I trust? Only those who understand what lies behind these technologies can make informed decisions.
At some point, all of us work on important jobs in the coffee shop or when we're out and about. What's a good way of protecting data on mobile devices?
Encryption software like Boxcryptor can also be used on mobile devices. Let's say I want to look at a pitch presentation on my iPad during a train journey: I could call it up using Boxcryptor to be sure it is encrypted on my iPad first and foremost. In the mobile domain, too, it's the little things that make a big difference. Even the PIN I enter to unlock my cell phone protects me against unauthorised access. There are of course also fully hardware-encrypted devices like Angela Merkel's cell phone, but regular users don't need this much security.
Many people would say that their data is not so important, and that nobody is interested in it. What are the arguments in favour of being more mindful when handling our data?
If I save my gym workout data somewhere on the internet, it's not so relevant. But some of the data that doesn't seem important today might become important in the future. If my doctor saves X-rays of my injured knee on his server, it may not bother me now. But what if I want to change my health insurance provider in ten years time, and the new insurer gets hold of the images? They might not want to insure me any more. Or only if I pay a much higher premium. These are things we have to think about. It's unfortunate, but once on the net means always on the net in most cases. It may not be possible to google this data, but somebody somewhere probably has access to the server. And in such cases I simply have to think about what consequences today's data could have in the future. My insurance card, my tax assessment... all of this data is stored digitally. I have to provide this data, I have no choice. But I also have no influence on what happens with it afterwards. Why isn't this considered a risk? Because it goes unnoticed. If my car gets stolen, the effect is immediately obvious. If my data gets stolen, I don't notice anything at first. I would therefore recommend everyone be more mindful when handling their data. And to encrypt all their data, no matter how insignificant it may seem.