Encrypting data and setting a strong password are two keys to protecting information security. But here’s an easy way to make both those security measures completely useless:
Keep the encrypted data and its decryption code in the same place.
That’s a lesson recently learned the hard way by auditor Ernst & Young.
Regions Financial Corp., of Birmingham, AL, recently announced that many current and former employees’ personal information may be at risk following an incident that occurred in November, The Birmingham News reports.
The data, which included information about participants in Regions’ 401(k) plan, was lost when a flash drive containing the data was mailed from one Ernst & Young office to another. When the package arrived, the drive was missing.
The drive was encrypted, which would normally mean the information was relatively safe from being used by criminals — however, the package also included a slip of paper with the code to unlock the data.
So far, Regions says, there’s no indication that any financial harm has occurred, but employees are being warned to watch for signs of fraud. Ernst & Young has offered to provide a year of credit monitoring for affected individuals.
Despite creating policies to the contrary, most IT professionals are no stranger to seeing users keep their passwords written down. But this incident should serve as a warning that doing so can defeat the purpose of using a password in the first place — especially when an encrypted mobile device and the password are carried around together.
For advice to give users on choosing passwords that are tough to crack but easy to remember without writing down, read our earlier post here.