Now and again I talk about aspects of data security that aren’t directly related to backups. I don’t do it often, because I’m not a security expert, but there’s more than one way to lose your data, and stories about backup tapes stolen from financial institutions and missing laptops with confidential information on them show up in the news pretty often.

The security of your backups can be an issue for everyone. If someone broke in and stole your external hard drive, would they get everything? Most small and home office users have at least some information that shouldn’t be available to anyone who finds a USB key lying on a taxi seat. So we should all take basic precautions and not make it easy for those with harmful intent.

I saw an announcement about a new service called BlogBackupr the other day and flagged it as something to investigate. As a backup blogger, I’m certainly in favor of backing up your blog. (I’m not at all in favor of that awkward name; even “Blog Backer-Upper” would be more euphonious.) Before I could check the service out, however, I saw a post from Ike Pigott warning readers about a the way any provider of such a service could abuse the login and password information for your blog.

And just in case I wasn’t feeling paranoid enough after reading Ike’s post, I got a link to a new white paper from Bitpipe this morning: “How to Fully Protect Your Storage Environment.” (You’ll have to register to download it, if you’re interested.) The section that caught my eye was “Why and How Your Storage Environment Will Be Attacked,” by Kevin Beaver.

While the guide addresses enterprise storage, a few points apply to smaller businesses and home users as well:

1. 1. Storage security does not equal redundant systems and good backups. These two elements are only part of what’s going to keep your data safe and sound, so it’s important not to solely rely on them as has been done in the past.
   2. Storage encryption is not the silver bullet. Not for data at rest and not for data in transit.

The truth is, we all have to trust someone with our data sometime. Even if you run your own web and mail servers, even if you avoid online backup services, the only way to protect your data against fire, flood, and theft onsite is to move copies of the data offsite—which means it’s vulnerable in transit and at its destination. And most companies providing backup and storage solutions limit their liability pretty severely.

The malicious hackers are way ahead of most of us, too. They know more ways to attack than we’re aware we should defend.

So what’s a sensible person to do?

If you work with really sensitive data, it’s probably worth hiring a security expert. Otherwise, take the obvious precautions. If it’s small and portable (and even my twelve-ton, 17-inch laptop qualifies for that category), put a password on it. And store your passwords in a password-protected program. Don’t leave your data unattended. Do provide someone in your company or family with your master password in the event you are injured or killed and they need access to your data, but make sure that person knows how important it is not to hand out that information.

Check out any storage services you’re thinking of using before you sign up: search on Technorati and in places like Yelp to find out what people are saying about them. One or two negative reviews is normal, but if you find pages and pages of complaints, stay away. If a storage company is making headlines because of lost or stolen data, choose someone else.

At least most of us SOHO users can comfort ourselves with the knowledge that we are just too insignificant for serious hackers to bother with. The payoff for stealing your PIN number is fairly small. The payoff for stealing millions of credit card numbers from a bank is a lot higher.

But don’t let that make you careless.

SmartPay® is a General Service Administration program to provide charge cards to government employees and contractors. Bank of America is one of five financial institutions responsible for these accounts, and the missing backup tapes contained customer and account information for 1.2 million government employees, including senators Patrick Leahy and Elizabeth Dole.

If verifying tape backups is rare, encrypting them is even rarer. I don’t normally encrypt my backups, and neither do most people I know.

On the other hand, I keep my Quicken data, my passwords, and any proprietary or financial information about my clients in encrypted files. Doubtless any really professional hacker could still break into them, just as such a person could figure out my Windows Logon password easily enough. But it’s enough to keep casual burglars and curious visitors out of my files.

And if I can do that much, you’d think a bank would realize it needed to encrypt its backup tapes. Banks are, after all, the most obvious targets for large-scale data theft. Bank accounts belonging to the government are, if possible, even more tempting targets. (After all, whose card would you expect to be able to charge more to, mine or Uncle Sam’s?)

I personally find the fact that it was those particular tapes which were stolen highly suspicious, and the disappearance raises a great many questions about other aspects of the transport and security of Bank of America’s backup tapes. Do they send them in armored cars with guards? If not, why not? Pound for pound, the information on those tapes is worth more than cash. If so, then how did the tapes get mislaid? Was this an inside job? Do I need to take my money out of Bank of America? (But if I do, would it actually be any safer elsewhere?)

One hopes that this incident, and certain other recent highly-publicized cases of data theft, will cause financial institutions and other corporations to re-evaluate their backup policies. Continuity Central has some suggestions, including using RFID tags, bar codes, or even GPS locators on the tapes for better tracking, encrypting the tapes, and not using tapes at all. All of those sound like good suggestions to me.

Small and home office users probably don’t need to go as far as bar codes, RFID, or GPS, but I strongly advise you to password-protect not just the backups of any sensitive information you have, but the files themselves. Outlook PST files, ACT! databases, and Quicken and QuickBooks account files can all be password-protected. And your passwords themselves should be password-protected. (There are several freeware products for this, and others which will generate random passwords with as many characters as you want.) If you have lots of sensitive data or many people have access to your office, you definitely need a logon password, and might want to consider a LockBox drive for your backups.

And you might just want to ask your bank what it’s doing to keep your account information secure.