How to store sensitive files safely ..sml businesss

GeneralSherman

Hi all
Just looking for some advice please. My business partner and I need to store approx 4000 pdf files securely. These files are one page documents with some sensitive information that must not fall into the wrong hands. We download these pdfs on a daily basis and immediately distribute them to our clients via email. We then need to store them for future viewing. Ideally we would like to be able to access this storage area from both work computers and from home. Once the files are 6 months old we delete them in accordance with data protection regulations.

We are a small business and our IT infrastructure is limited to a desktop computer and a laptop but we are willing to invest a reasonable amount to protect theses files.
I would like some advice on the options available to us please.
Buy some space on Dropbox .... is this secure ?
Buy an external hard disk... what if this fails ?
Should we encrypt the files and then store them... what's involved .. how ?

Many thanks in advance

seamus

There are quite a few options open to you. There is no such things as a perfectly secure solution. The more secure your solution becomes, the more complicated it becomes and therefore the more costly it is to maintain.

Is dropbox secure? Yes, in the main. Dropbox themselves encrypt the files as they're stored, so they can't just be browsed by anyone. Could dropbox get hacked? Yes. But it would be a universal breach of dropbox, and whoever carried out the attack would likely be trying to reach specific files; there's no way they are going to download the terabytes of data stored in Dropbox and sift through it all.

A more likely breach would your Dropbox account getting hacked by someone who finds the password. This can be fairly easily mitigated by using standard password security techniques and two-factor authentication.

But ultimately it depends on how private you need your data.

For most small businesses, my recommendation tends to be a local NAS - Synology are my NAS of choice - with hard disks in a RAID-1 configuration (mirrored) at a minimum. Most NASes allow for disk encryption, so even if someone takes the NAS in a burglarly, the thieves can only wipe or dispose of the hard drives, the data on them is inaccessible.

You also need an offsite backup; in case someone does steal your NAS or your office burns down.

For this, most NASes come out of the box with the ability to backup to the cloud. But if you're not happy with that, you have the option of buying a second identical NAS which lives in someone's house. The NAS in the office then backs itself up to the one at home. With broadband speeds in most places pretty good, and since you're only using PDFs, this shouldn't present much of an issue.

You should get someone in who knows what they're doing though to ensure that the setup is properly secure and fault tolerant enough to at least email you when something bad happens.

GeneralSherman

Thanks so much Seamus for your detailed and very useful reply. good wishes to you !

ishotjr2

"distribute them to our clients via email.",
Sending it via email IMO is a likely data leakage point. There is a couple of solutions I have come across like IronPort which can redirect to a web portal. But that is going to be expensive, I am sure there are cheaper options out there. You should talk to a solution provider.

Say it is something like a P60, then the file should as least be PDF password protected.
You could also use (http://www.7-zip.org/) to encrypt the file. This is relatively popular and free. (You may also be able to pay a computer enthusiast 100e to write a script to automate the encryption for you.)
There are lots of options here...

You may be pleasantly surprised when you go the extra mile for clients data security as we read about breaches all the time and folks are thinking about it, just not sure what to do. So when they see someone making the effort make a good impression.

I would not use dropbox for secure data distribution. too many ways to trick customer PC/email software into leaking the data, or if you made a mistake (even with 2FA). Frankly that would keep me up at night

ItHurtsWhenIP

ishotjr2 wrote: »

"distribute them to our clients via email.",
Sending it via email IMO is a likely data leakage point. There is a couple of solutions I have come across like IronPort which can redirect to a web portal. But that is going to be expensive, I am sure there are cheaper options out there. You should talk to a solution provider.

Say it is something like a P60, then the file should as least be PDF password protected.
You could also use (http://www.7-zip.org/) to encrypt the file. This is relatively popular and free. (You may also be able to pay a computer enthusiast 100e to write a script to automate the encryption for you.)
There are lots of options here...

You may be pleasantly surprised when you go the extra mile for clients data security as we read about breaches all the time and folks are thinking about it, just not sure what to do. So when they see someone making the effort make a good impression.

I would not use dropbox for secure data distribution. too many ways to trick customer PC/email software into leaking the data, or if you made a mistake (even with 2FA). Frankly that would keep me up at night

If they weren't using Dropbox to distribute the files, but rather for backup purposes, would setting up a VeraCrypt encrypted container for each days set of PDFs and banging them up to Dropbox be more secure?

Granted this probably won't work if they were using Dropbox for distribution, but it should be otherwise secure.

OP - ishotjr2 is correct about e-mail distribution being very insecure, so password protected PDFs would be a really good idea. While the 7zip option is really good too, some malware filters may remove ZIP files as part of normal operations, so these might not get through.

GeneralSherman

Hi all.. General Sherman here.
Thanks for all the information. I have been mulling it over and discussing this with my business partner. We have also researched how our main competitor is providing these files to their clients.... answer is .. by email !
So, we will password protect the pdfs before emailing them to our clients. We have too many clients with very limited IT knowledge to setup and support on a shared encrypted space where we could provide the pdfs to them.

We are still unsure if we should go with Dropbox or a NAS for secure storage (and not distribution) of our pdfs.
If we go with Dropbox we would not sync the files to our laptops/PCs, we would use the 2 stage verification log in system and so on.
If we use a NAS then we need to have a backup of that somewhere ... probably on the cloud ... why is this any better than just paying Dropbox to look after our files ? No NAS means no machine that we have to pay for, setup maintain and protect. Is the only benefit of the NAS the fact that the machine and all the data on it is ours and within our control.
Should I be concerned that the Dropbox servers are US based and therefore governed by US laws which gives access to the files to the US government ?.
If I password protect files, am diligent about storing them securely on dropbox only etc etc and Dropbox was hacked and all of my files were accessed maliciously, who gets the blame ?

Blowfish

GeneralSherman wrote: »

Should I be concerned that the Dropbox servers are US based and therefore governed by US laws which gives access to the files to the US government ?.

Depending on what's actually in the PDF's, you need to be very careful about this. If there's any sort of personal data involved, then there are specific laws around transferring personal data outside of the EU that need to be complied with. Most cloud storage companies when using their business products will give you the option to keep the data within Europe as it's a pretty common issue/requirement, but you'll need to confirm that.

ishotjr2

It does not matter "who gets the blame ?" you never want to have that conversation with your customers even if it is a documented rock solid well documented someone else fault i.e. do not use this as a fall back position. In my experience customers vote with their cash based on how they feel about you rather than the facts. Customer looks at it like well you chose Dropbox and if you are looking for indemnity read the EULA.

The dropbox CDN is globally distributed. "BlowFish" is right on the money you need to be able to say what the data is and look at advice/research from that context.

GeneralSherman

The plot thickens !
Dropbox stores all data on US servers so I would be breaking EU and Irish Data Protection Laws by storing the files there. The information is of a personal nature.
So we are back to looking at an encrypted NAS with backup to Irish/EU based cloud servers.
Thanks folks.

beauf

GeneralSherman wrote: »

...We are a small business and our IT infrastructure is limited to a desktop computer and a laptop ..

I hope these are encrypted, that someone couldn't steal either or both machines and be able to get to these files in your email, and or on the machine itself. Use encrypted email service. Use strong (long) passwords that are tested etc.

Those would be basic precautions.

bonzodog2

I'm not an expert on EU and Irish Data Protection Laws, but if you were to store a compressed and highly encrypted archive of say a month's worth of the files, as a backup, to say, Dropbox (or another), would you technically be storing 'the files' outside EU?

beauf

Seems yes. https://www.dropbox.com/en/help/7

THis is an interesting read...

https://www.dropboxforum.com/hc/en-us/community/posts/203791635-By-law-we-need-to-store-all-data-within-the-EU

beauf

GeneralSherman wrote: »

....We are a small business and our IT infrastructure is limited ....

The thought occurs to me that...Personal data and data security would seem to be central to your business. Central to most business usually.

I would strongly suggest you put some time aside to do a course on this, and really get on top of this. Even get someone in to advise you. It seems to me, that you are extremely high risk of a data breach, which would be expensive, and potentially destroy the business overnight. I've got holiday snaps of a nice rock on a beach which are vastly more secure than your business data. You can up your security for free, but you need some knowledge. Thus far you've actually done nothing about it. Most of the stuff you can do is not expensive or is free. But seriously not spending anything on it at all, money, learning, or time. Well doesn't look very good does it.

You've realized you have a problem. But you really need to act on it.

GeneralSherman

Thanks for the advice beauf. Just to clarify things here ... I am currently employed by a company and they are considering outsourcing this part of the work. I and my partner are proposing to take this on.. hence all the questions. We realise that the current way they operate is not sufficient and if we are going to take this on we are looking to do it right. Yes the storage of this personal data is at the core of our business and our expertise lies elsewhere. I needed answers and pointers to some questions and quick !. As stated in my original post we are prepared to invest money and time to do this and we are prepared to consult with experts too. I can assure you that your statement that we have done nothing about it is not true.

beauf

Is any of this data encrypted at this moment.

GeneralSherman

No... but pdfs not in use yet... still paper based.... AND don't even start on that !

ItHurtsWhenIP

OP, I know you probably can't say what type of sensitive information you are dealing with here, but don't forget there may be certain standards that you will need to comply with as well.

The obvious one is PCI-DSS where you are handling credit card information.

If it's medical data then HIPAA may be in force (though I think this is only a US requirement).

So keep that in mind too.

GeneralSherman

Thank you very much.. none of the above apply here thankfully. I think I def. need more training in the area of data protection. There is only so much you can read and study from the Data Protection Commissioners website.

LoLth

you could contact the DPC and ask to speak to a compliance officer to get some advice on what standard you need to reach.

Ms Doubtfire1

you could also use a cloud based subscription service.i.e. the documents will be stored on a highly secured server and can only be accsesd there though an email sent directly to the user.The user than logs into that server and downloads the document straight onto their own PC/laptoip

syklops

Ms Doubtfire1 wrote: »

you could also use a cloud based subscription service.i.e. the documents will be stored on a highly secured server and can only be accsesd there though an email sent directly to the user.The user than logs into that server and downloads the document straight onto their own PC/laptoip

Any cloud providers you'd recommend which provide a highly secured server?

LoLth

syklops wrote: »

Any cloud providers you'd recommend which provide a highly secured server?

spideroak?

syklops

LoLth wrote: »

spideroak?

My question was more for Ms Doubtfire who seemed to imply that cloud and highly secure servers were synonymous, which they certainly are not. Im aware of a couple of secure cloud providers, but I didn't want the OP to think that security and cloud automatically go hand in hand.

Impetus

I wouldn't dream of using Dropbox or similar, for secure storage.

The main issues you face are probably

1) Not having the files stolen

2) Not having the files lost (eg through disk failure).

Suggestion:

Buy at least two USB hard drives - keeping one at your house and one at your partner's (in case of fire etc).

Download an open source encryption system such as VeraCrypt. Use VeraCrypt to create one or more encrypted folders - on the USB drives and on any PC which contains the confidential PDF data.

Be sure to use a strong password and ideally multiple encryption algos - eg Serpent, Twofish, AES - in that way if a weakness in found in one system, a hacker would have to also break the two other systems. This is just a menu option and adds no more complexity to your day to day maintenance task.

By a strong password I mean a password that looks like
X0'RE`3n"&GZQT"Q1(YOqn?CAXN|$I<Y#T#MwFsDYN+&QFaI|TY}_A$mb$r1^pW
which is a pain in the neck or use a good password + a keyfile (eg something stored on a USB key). VeraCrypt will create a keyfile which you and your partner can have a copy of, and do not lose same!.

The main way to break encryption is some form of password attack. You need to make your password / keyfile awfully complicated to prevent this. VeraCrypt can do all the hard work in creating a massive keyfile.

You mightn't want to limit your backups to two drives - perhaps keep another with a trusted friend at a different location.

Be sure to update your backup drives regularly.

Every copy of your confidential data should be encrypted.

In my view, this type of procedure is good for medical records, financial records, probably nuclear missile launch codes etc.

(Of course you need to ensure that the computers used to open these files are clean - free from malware - which includes password stealing software etc). As somebody else said, total security is not achievable.

gctest50

syklops wrote: »

Any cloud providers you'd recommend which provide a highly secured server?

be grand

More than a 1000 hackers tried to break our security for $50,000. No one succeeded.

https://tresorit.com/

Ms Doubtfire1

syklops wrote: »

Any cloud providers you'd recommend which provide a highly secured server?

Leapfile inc