If your employees carry sensitive company data on unencrypted laptops, portable hard drives or USB flash drives, your job and theirs may be in jeopardy.

We report cases almost weekly in these pages of lost or stolen computers and drives with unencrypted data, and the havoc that ensues.

Sometimes you shake your head in wonder – at the staff member in a Welsh medical clinic, for example, who sent an unencrypted USB drive containing medical information on 8,000 patients through the mail. It was lost.

Or the hospital employee who dropped a flash drive in the parking lot with unencrypted personal data and medical records for dozens of psychiatric patients. It was luckily found and returned.

Insisting that employees encrypt sensitive files is not always a popular strategy, though. It inevitably involves some human overhead – remembering and keying in strong passwords, using unfamiliar procedures.

EncryptStick Digital Privacy Manager from ENC Security Systems – free for a limited-capacity version, $39.99 unlimited – doesn’t eliminate the overhead entirely, but does make the process as painless as possible, while offering unparalleled security.

For those accustomed to more conventional software and security paradigms, however, EncryptStick may not be 100% intuitive.

First, it’s not a flash drive with built-in encryption. EncryptStick is software that turns any USB flash drive into a personal security management system for encrypting and storing files in secure “vaults” (folders) on any drive, including your computer’s built-in hard drive, a network drive – or the flash drive itself.

The software now supports Windows (2000/XP/Vista/Win7) PCs and Macs (OS 10.4 and higher). But EncryptStick doesn’t run on the host system. It runs entirely from the USB drive.

To install the program, you download it to a computer hard drive and then drag and drop the .exe file to the USB drive in Windows Explorer or Mac Finder. The flash drive should ideally be reformatted first.

After installation – during which you configure the device and enter a strong password – the drive appears in Explorer with an EncryptStick label and icon instead of a drive letter. The process takes a few minutes.

Easy to useEncrypt-Stick-Application-Icon-72dpi.jpg

A crucial part of the EncryptStick design and strategy is that nothing resides on the laptop or desktop you use to download and install the product. Nor is any trace left behind on a host system after an EncryptStick session – except encrypted files if your vault is on the computer’s built-in hard drive.

It means you can use any computer to encrypt-decrypt files on a portable drive, or use any computer attached to your network – including over a VPN connection – to encrypt-decrypt files on a network drive.

ENC also has a new product coming this fall that will allow users to create vaults on cloud-based storage servers.

To move files out of an EncryptStick vault – decrypt them – you have to insert the USB drive with EncryptStick into a computer, launch the program and enter your unlock key (password).

So if you use a shared computer, other users will not be able to view your vaulted files without your USB flash drive and password. Even if you’re using a strange computer, you could open a file on the USB drive, edit it using software on the computer – and when you finish, no trace will remain.

EncryptStick uses very strong 512-bit polymorphic encryption, meaning it generates a unique encryption algorithm for every licensed user. This reduces the likelihood to almost nil that even a very determined hacker could break the encryption. But it also has some negative implications.

Protecting assets

If an employee loses his EncryptStick USB drive – and we know how easily that can happen – he not only loses any files on the drive, he also loses the ability to access his EncryptStick vaults on other drives.

In that scenario, you have to buy a new license and use backup files to reconstitute the surviving vaults. (Creating the EncryptStick backup file – ENC recommends users e-mail it to themselves – is an essential part of managing the technology.)

The simple EncryptStick interface looks and acts much like Windows Explorer. To create a new vault, click File/New Vault. The software presents a list of all the drives available to this host, including network drives. Select the one you want, give the new vault a name, click OK and it appears in the right-hand panel.

To add a file to a vault, double click to open the vault. Now open Windows Explorer or Mac Finder and drag and drop the file or files you want to encrypt into the vault. When you do this, EncryptStick automatically encrypts and compresses the files.

It also pops up a message asking if you want to permanently delete the unencrypted version from your hard drive – which, if you’re creating a vault on the host system’s drive, you would logically want to do. If you say yes to this, the file is completely deleted. It doesn’t go to a recycle bin.

To decrypt a file to view or edit it, you find it in EncryptStick’s explorer and drag and drop it to a program, file or location on the host system. You could drag an encrypted Word file to the Word menu bar to open it, for example.

For those who encrypt large volumes of data, there is a very fast search function that works like Windows search in refining lists of files in real time as you type a name or part of a name. It’s one of a few nice grace notes in this product.

Another is the ability to configure a “boss” key – a keyboard shortcut employees can use to quickly shut down EncryptStick files and program interface when someone comes into the office.

Users can also set or adjust the amount of time before EncryptStick locks up so they have to type in their password again, and set the number of days before it sends an e-mailed reminder to change passwords (30 days by default).

And when you create passwords, EncryptStick gives you the option to use an on-screen virtual keyboard – just in case the host system is infected with a keystroke logging virus.

The virtual keyboard will even foil exploits that record where you mouse click and figure out from that which buttons you were clicking. It automatically and randomly changes the position of characters in the keyboard matrix each time you click one.

Finally, EncryptStick includes a Password Manager, a simple database – encrypted, of course – for storing logins and passwords for Web sites, systems and applications.

It doesn’t let you automatically log in to sites, but that capability will be incorporated in a secure browser plug-in that ENC is currently working on and will introduce within the next couple of months.

EncryptStick is an impressive product, carefully thought out, in some ways brilliantly designed. It’s main downside is the risk of loss, necessitating repurchase. We would recommend investing in hardened USB flash drives that can be attached to a key chain.

If EncryptStick doesn’t find a wide audience, it will only be because companies fail to appreciate the importance of encryption – too bad for them – and/or balk at encumbering users with an extra few steps to open and save important files.

Follow eSecurityPlanet on Twitter @eSecurityP.