Step 5 of 6: Encrypt Files on Computers and Removable Media

Posted by Eric Parker

Are you ready for tax season? One thing you may NOT have thought of is making sure that you have an adequate data security plan to protect your clients and reduce your risk. In this series of articles, we are providing action items, aka a roadmap, for you to build your plan prior to tax season. In this article, we will be discussing the fifth step. 

There are six components to a data security plan.  

• Install and update antivirus software that scans files and memory for malware
• Use firewalls to shield your computer or network from malicious traffic or malware
• Use two-factor authentication to secure email, accounting software or any password-protected product
• Routinely back up critical files to a secure external hard drive or cloud storage service
• Encrypt files on computers and removable media
• Write down your data security plan as required by the Federal Trade Commission's Safeguard Rule 5

Step 5: Encrypt Files on Computers and Removable Media

To better understand how encryption works, it’s first important to understand how your computer stores data, in a very basic sense. On your computer, your hard drive has thousands of sectors or blocks of data. The blocks are your pictures, tax returns, and important business information stored in ones and zeros. Your computer knows how to read those ones and zeros, but so does every other computer running the same operating system as you. If your computer was lost or stolen and not encrypted, the hard drive can be removed from your machine and plugged into another, and all your data is accessible.

Encryption is a way to secure your data so it can only be accessed by the individual who holds the secret key, which in most cases is the login password for your computer. When you enable encryption on your device, the ones and zeros that make up your data become scrambled and unreadable without your key to decipher. You are also provided a backup key to keep in a secure location. When you log in to your computer each day, you provide your password to the system and the system decrypts files as you need them on the fly. Once encryption is enabled, your data can ONLY be accessed via your password, or the recovery key automatically generated when you enabled encryption on your system. It is important that you back up your recovery key, preferably in a robust password manager. If you forget your password AND lose your recovery key your data can’t ever be accessed again.

If your business is using Microsoft 365 to manage devices, admins have access to the recovery keys generated by staff computers. It logs them in the Azure Intune portal so if a team member quits or is let go, their data doesn’t leave with them.

If you back up your computer to an external drive or save data on one, you should consider encrypting your removable media as well. If someone steals your encrypted computer and your non-encrypted backup, they will have access to your files. Once encrypted, your password will be needed to access the data stored on the drive.

Action Items for You

Make sure all company computers have encryption turned on. 

• Windows business users: Business versions of Windows include a free encryption tool called Bitlocker. Enabling encryption takes just a few minutes and a few easy steps that you can follow in "Turn on standard BitLocker encryption" in this Microsoft support article on encryption.
• Windows 10 Home users: follow the easy steps listed in the section "Turn on device encryption" in this Microsoft support article on encryption.
• macOS users: Apple support provides steps on setting up encryption here for a built-in tool called FileVault which functions similarly to Bitlocker. A unique feature of Filevault is the ability to connect your login password and key to your AppleID, allowing you to reset your encryption if you forget your password and key. 

Make sure all company removable devices have encryption turned on. 

• Encrypting removable devices is simple. Connect the device to your computer, locate the device (in File Explorer for Windows business or on the desktop for macOS), right mouse click on the device and turn on encryption (select "Turn on BitLocker" for Windows or "Encrypt" for macOS). Then follow the prompts. 

Note: Encryption is a deep topic, and this article barely scratches the surface. If you have questions about encryption or data security, please reach out to Woodard Consulting Group.