Keeping Secrets

How to protect your computer from snoops and spies.

BY THEO CALLAHAN
July 1, 2007

  

 
 

You may be able to keep a secret, but how confident are you that your computer is up to the task?

As a CPA, you’re entrusted with loads of confidential information, and your professional reputation depends on your discretion. But your computer may be vulnerable to someone accidentally or maliciously prying into or tampering with that confidential data.

This article examines the dangers and ways to make your information more secure. Notice I say more secure because security is a relative condition: The higher the security, the harder it is for a meddler or a crook to access it; but it also becomes more difficult for you to access. So, as a practical matter, you probably need a level of security that keeps out the innocent meddler and all but the most determined and sophisticated intruder—yet still gives you access with relative ease.

Since most of the practical applications apply to Excel more than Word, I’ll use examples from Excel. But the basic protection steps are similar in Word. I’ll take you first through the basic steps of password protection, then I’ll show you more secure techniques for situations where privacy is a higher priority. Finally, I’ll demonstrate how and when to use the tools to keep users of your files from accidentally corrupting a worksheet, for example, that’s used as a demonstration tool or from drilling down to uncover confidential data stored below the surface of the file. But be aware that people are out there with the tools, intelligence and determination to break just about any code.

PEEKING PROTECTION
Microsoft Office’s Word and Excel have two levels of tools to keep unauthorized people from accessing files. Think of the first-level password tool as comparable to locking your front door; a burglar needs only to smash a window to gain entry. Likewise with password protection: Someone with limited technical skills—but with resolve—can crack the protective codes with any of several free or inexpensive password-recovery utilities available on the Web. Almost all are published with a wink-wink caveat that they are only for use on your own documents—not to intrude on someone else’s privacy. For those who care to pursue this subject further, an Internet search with the key words password recovery can locate sites that contain tutorials on how to crack passwords.

To initiate password protection for a file, open it and click on File and Save As . (If you’re saving it for the first time, just click on Save.) That will open a menu with a Tools command in the top right corner (see Exhibit 1). Click on it and then on General Options .

 

That will open a Save Options password screen (see Exhibit 2). Notice that you have two choices: one password just to open the file and a separate one to permit its modification. You also have the option to make it Read-only , which also protects it against modification. I’ll discuss later what’s behind the Advanced button, which takes you to a much higher level of protection.

 

When you click on OK, a Confirm Password screen will open (Exhibit 3) and you’ll be asked to repeat the password and warned to keep it in a safe place because you’ll be unable to recover it should you forget it; of course, that’s not quite true.
At this point, a file can have at most two levels of defense—a password on the workbook—which incorporates multiple worksheets—and a password on any of the individual worksheets. It’s best to choose a different password for each even though it’s harder for you to maintain a second password.

 

Now, back to that Advanced button. Click on it and the Encryption Type screen opens (Exhibit 4).

 

This tool goes beyond just providing a password to open a file; it encrypts the data itself so that, even if an intruder gains entry, the information itself will be encoded. If you scroll down the list of entries under Choose an encryption type, notice that the minimum key length in the Choose a key length box becomes very large. Although these codes are pretty secure, they are still vulnerable when attacked by experts.

Of course, many other encryption programs are available from commercial organizations. But beware, this is a complex subject and some products provide less security than claimed. For more information about encryption software, you may wish to read Snake Oil Warning Signs: Encryption Software to Avoid ( www.interhack.net/people/cmcurtin/snake-oil-faq.html).

HANDS OFF
Don’t just think of password protection as a way to guard your data from intruders. It also can be used to protect a complex Excel presentation tool from a user accidentally breaking a link or altering a critical formula.

As illustrated by the refinancing spreadsheet tool in Exhibit 5, you can put colorful warning signs, such as <<<< Don’t type here!! to protect a vulnerable cell, but a more effective and professional-looking method would be to password-protect those critical cells without putting up such warning signs.

 

To provide such protection, first highlight the cells in which you want to allow users to modify data and click on Format, Cells and then the Protection tab. Clear the box marked Locked (see Exhibit 6).

 

Then go to Tools , Protection and Protect Sheet (Exhibit 7).

 

With that kind of protection you can put together a professional-looking spreadsheet tool, as shown in Exhibit 8, without the fear that users will inadvertently alter your design or mathematical functions.

 

DRILLING FOR SECRETS
PivotTables can be booby traps. A user who pushes the right button can drill down to disclose the underlying data that the worksheet used to display the final calculated information.

Imagine a CPA firm is engaged by a group of distributors to collect and analyze benchmarking information with the understanding that only the group data will be revealed, not each distributor’s individual information. For this assignment, the CPAs used an Excel spreadsheet and the group results are calculated in a PivotTable—the perfect tool for such a calculation. When the project is completed, all the participants are invited to see their own results and compare that information with the accumulated data for the entire group. But an astute user can drill down and see all the information about the competitors because the CPA firm overlooked a powerful feature of PivotTables—the ability to drill to details.

When you look at a PivotTable, it may appear to have no hidden sheets. Yet a double-click on any result cell will trigger the appearance of the underlying details. That vulnerability exists even if you had taken the table out of its original spreadsheet and placed it in a new one.

You can disable that feature by right-clicking on the PivotTable, choosing PivotTable Options (see Exhibit 9) and unchecking the box at Enable drill to details and then OK.

Warning: Even if you password-protect the file, there is no way to stop a savvy user from breaking your code and overriding you by opening PivotTables Options and checking the box so that the protection has been removed.

 

A much better way to safeguard PivotTable data that needs to be presented in a computerized demonstration is to copy the table into Word or PowerPoint in HTML format. This format is plain text and does not retain any information on individual entries. It still allows you to e-mail documents but removes the need to protect sensitive data—as long as you recognize that e-mail, too, is subject to unauthorized peeking. Yet another way to thwart meddling with the text is to convert it to an image.

As you can see, protecting the confidentiality of information on your computer is not easy. But, hard as it is, it must be given high priority.

Theo Callahan is president of I Get It! Development, a consulting firm based in Los Gatos, Calif., that develops custom software and offers custom business-process training programs. His e-mail address is theo@igetit.net.

Editor’s note: The functions described in this article apply to Windows XP and Office 2003.

PROFESSIONAL DEVELOPMENT: EARLY CAREER

Making manager: The key to accelerating your career

Being promoted to manager is a key development in a young public accountant’s career. Here’s what CPAs need to learn to land that promotion.

PROFESSIONAL DEVELOPMENT: MIDDLE CAREER

Motivation and preparation can pave the path to CFO

CPAs in business and industry face intense competition to land a coveted CFO job. Learn how to best prepare yourself for the role.

PROFESSIONAL DEVELOPMENT: LATE CAREER

Second act: Consulting

CPAs are using experience to carve out late-career niches. Learn how to successfully make a late-career transition to consulting, from CPAs who have done it.