The Importance of Security
Security takes time, effort, and resources. So there is always a trade-off between Easy and Secure. People tend to do what’s easiest because our brains work that way, and companies tend to do what's easiest because it's less expensive.
But when you do things right, you don’t just get security, you also get Peace of Mind. That’s a 2 for 1 deal. In any other situation, would you take that deal?
There are lots of methods of adding security, and each method essentially puts a lock between the world and the contents of the file. Some locks are more easily broken than others. Combining methods creates layers of locks, but requires more effort. There is a growing numbers of tools to help conscientious computer users be secure with less effort, but not all of them are good. Tools that have been vetted by security experts are best.
We use a “5 levels” approach for thinking about secure file sharing, and in practice typically use levels 1-4. In this model, level 0 refers to anything that you want to be public. Each level of security is good for certain things. We’ve tried to identify what each is good for, and then give commonly used services that match the profile. The idea is: share the right stuff on the right level; don’t share important stuff on a lower level.
5 Levels of Security
Level 1: A good password
Good for: things we would like to be mostly private, but that wouldn’t end the world if they got out. Family photos, phone numbers, addresses, airline tickets.
Matches the profile: Some email, Facebook, misc. online accounts and the like. For most people, it also applies to their personal computer and their smart-phone.
Level 2: A hard to break password + limited access
Good for: things we definitely want to keep private, but that also wouldn’t be the end of the world if someone else saw them. Receipts, bank statements, financial reports, detailed personal plans.
Matches the profile: secure document sync services such as DropBox and SugarSync, and secure storage services like Shoeboxed.
Level 3: 2 Factor Authentication + limited access or item encryption
Good for: sensitive things that someone could do damage with if they wanted to. Credit card info, online banking credentials, social security numbers, or personal medical information.
Matches the profile: the use of shared encryption in combination with a secure sync service, or the use of an application/USB authenticator in connection with a strong password.
Level 4: 2 Factor Authentication or Biometrics + limited access + item encryption
Good for: Collections of sensitive info, extra important things not covered in Level 3, or for use on other things if you’re super vigilant.
Matches the profile: An encrypted file saved on an encrypted flash drive, shipped with signature confirmation (or delivered in person), and the encryption keys are shared in person.
Level 5: Biometrics + 2 Factor Authentication + limited access + item encryption
Good for: Sharing classified documents, or protecting national secrets.
Matches the profile: We haven’t ever handled anything requiring this level of security, and we don't anticipate that you'll need us to...but just in case, let us know.
Other things we do
To ensure the security of your data:
- Strong firewall and anti-virus requirements for all employees
- Full background checks on all employees
- Well defined permissions and access for all employees
- All defaults set to use SSL internet connections
- 2-step verification used wherever possible
- Use of random passwords required for all “normal” passwords
- Use of LastPass required to save and share passwords (www.lastpass.com)
- Double password entry required to access accounts shared by you
If you couldn't tell already, this is something we’re interested in and transparent about. If you have questions or special needs please let us know.