|
Synopsis
The article looks at a number of high profile breaches of data security and the underlying causes of them. How organisations passing on valuable data to third parties can assure its protection and better understand each other’s security without relying only on trust or intrusive inspections.
In the modern business world information is king. So the question begs; why are some companies fundamentally lax with their information? More importantly, why are they fundamentally lax with my personal information? What can be done to correct this apparent lack of understanding and awareness?
 Measures put in place following the loss of a Ministry Of Defence laptop containing the personal details of thousands of military recruits, were to effectively freeze the movement of all laptops until they had been encrypted. Why weren’t they encrypted in the first place? Because many of the laptops affected were not required to be encrypted by the policy in force at the time.
In 2009 a Home Office memory stick containing around 300,000 personal records was lost by a contractor, resulting in the company being fired from the department. Yet had they actually done anything which in all honesty could not have happened to any of us? Experience tells me that, but for circumstance, the fault could have lain with any other employee within the Home Office. Short of handcuffing it to the carrier’s wrist (keep an eye on Government policy, and remember I said it first) it is difficult to guarantee against loss of a data device if it needs to travel, particularly if the business has no process for controlling or managing that movement; or worse, it has a process that is ignored because it lacks support from upper management. The apparent failure in these cases was in policy enforcement and the lack of a strategy for rendering the data unreadable in the event of loss; yes, I’m talking about encryption.
The Government is not alone; according to a 2009 survey of 615 public and private sector organisations in the US by The Ponemon Institute, 12 per cent admitted they were affected by data loss incidents over the previous year. Although the poll was commissioned by a supplier of encryption products, it’s no surprise that one third of the unaffected firms had an encryption policy. It’s not that they didn’t have an incident; merely that it had no effect on them. When choosing a supply chain or outsourcing partner, where would you go? To the ones who reported a loss, the ones who didn’t, or the ones unaffected? My money is with the latter.
Data security goes deeper than just loss in transit; it’s at risk within the corporate infrastructure if there is insufficient protection afforded it. The media industry has experienced significant data loss in the form of piracy of material ahead of official release. Here, there is a real drive towards securing pre-release material using techniques that would not be out of place in a spy novel, plus the threat of legal action. Online content needs to be accessible; yet once accessible to the world at large it is effectively compromised. Most of the media industry takes the view that the critical element is to be the first to make material available; if the pirates are first in the marketplace it has a marked effect when the genuine article arrives later.
In 2005 Coldplay’s album, X&Y, was leaked to the internet a week ahead of its European release and within minutes the tracks were being downloaded despite the efforts of their record label EMI to prevent leaks; including non-disclosure agreements, technical sweeps of preview events, searches of outsourcing employees and the pre-release album going under a pseudonym. Praising EMI’s efforts, the British Phonographic Industry told the Guardian newspaper "The prevention rather than cure mantra is absolutely key for us....” Each pre-release undergoes an increasingly stringent repeat of these measures. The cost is only palatable because of the huge profit generated by the release of new material, without which such measures are not only unpalatable but difficult to justify.
 Prevention within the parent organization is achievable, given time, expertise and money. Security policies that serve the information needs of the business align security with business output – which is exactly how it should be. But policies, or any other measure, have little effect if there is no appetite for them at executive level; without support from the top no one will enforce or adhere to them. Problem enough for any organization without factoring in outsourced services; where is the value of sound security policies and practices when you have little possibility of ensuring the same degree of diligence in your sub-contractors?
Industry, not just the security industry, needs a means of mandating simple, manageable and scalable practices that can be passed between companies and organizations, enabling all parties to understand each others’ security position. This means a system that affords verification between those parties without protracted contractual negotiation or intrusive validation by the contracting company, or worse still a reliance wholly on trust.
Such a system could implement the fundamentals of information security across a whole enterprise, in staged increments, allowing organisations of all sizes to grow their security in line with business needs. Companies clearly understand the value of their information and the impact a loss will have on their business, which means they should also understand the level of investment required. Yet many organisations fail to implement security for simplest of reasons; failure to recognise the need to have protection, or not really understanding how it can be achieved, sadly falling back on the adage “I know we’re safe, we have a firewall.”
And what about those out-sourcing companies mentioned earlier? How do you check that they are secure to a standard you desire before entrusting your precious information to them? With a scheme able to show what measures must be in place to achieve a given degree of security assurance, it would be a simple matter to urge, encourage or insist that any out-sourcing is undertaken by an organisation whose security implementation is known and understood, and is of a standard equivalent or greater than that of the principle organisation. Complete security? No, but a lot of steps along the way; plus some added peace of mind.
Published in: www.net-security.org - Risk UK - Katonda - IDMi (formerly Green Sheet Media) - Professional Security - Database & Network Journal - GLOBAL SECURITY MAG
The Data Center Journal - Medical Technology Business Europe - www.prosecuritytalk.com - Credit Control Journal
First Published 1 Mar 10 |