Get smart on data security

Spectacular data mishaps in the public sector should have alerted boards to the dangers of sloppy practices. Paul Fisher urges senior managers to keep asking awkward questions.

by
Last Updated: 09 Oct 2013

Alistair Darling was not having the best of afternoons on 21 November last year, when he announced to the House of Commons the loss of 25 million records by HM Revenue and Customs (HMRC). Leaving aside the gasps and expressions of incredulity by an Opposition not about to miss an opportunity to bash the Government yet again, the HMRC case will come to be seen as a defining moment.

The quantity of data involved was stunning, and the banal manner of its loss more so. A still unnamed HMRC employee copied the data onto unencrypted discs and popped them in the internal post. And they never arrived at their destination.

Darling's discomfort was also the moment when the wider public began to grasp the basics of what hitherto had been the domain of IT specialists. Many people now understand the concept, if not the application, of data encryption, and they also question the Government's competence in keeping secure the vast quantity of data it holds about the population. But it was also the moment when senior managers in the private sector should have heard their own wake-up call on data.

It may be tempting to think: 'Well, that's the Government - we do things differently here. I'm pretty confident we've got our systems sewn up.' But when was the last time you had a word with your CIO or, if you have one - and the chances are you don't - your chief information security officer (CISO), about your preparedness to stop an HMRC-style disaster? Do you know what threats exist both inside and outside your offices? What is your policy on Web 2.0 applications, for example?

The IT department may well understand all these issues, but in 2008 those up in the C-suite are also expected to appreciate the vulnerability and liability of the businesses they run. If you believe that because your company has a firewall or anti-virus protection on all its PCs, you're covered - think again. Creating a secure business takes more than locking down systems, because those systems are no longer all in one place and are difficult to lock down. Mobile working, wireless, 3G-enabled PDAs and the emerging trend of 'cloud' computing - using applications that reside on the web - are revolutionising the working environment.

In addition, the way your employees view and use corporate IT is changing rapidly, and not in ways you may like. MySpace, YouTube and FaceBook owe much of their success to people taking advantage of fast corporate connections to share information on social networking sites.

This stuff isn't going away, either. FaceBook may well be so last-year in the eyes of some, but it will be replaced by something just as smart and contagious. Your staff, unless barred from doing so (not seen as a wholly progressive move), fully expect to be able to use these applications.

A recent study by IT services company Dimension Data showed that almost half (46%) of British workers with internet access at work conduct online banking there, and nearly one in five (19%) use sites such as MySpace and FaceBook. They are also avid users of instant messaging (18%), file-sharing (13%) and downloading MP3 tracks (10%). Your newest and youngest employees are likely to view e-mail as dated and slow - the text generation communicates via instant messaging (IM).

Those same people are also wandering in each day with those little white headphones protruding from their ears and carrying mobile phones that have turned into mini-computers. These are sophisticated devices, capable of carrying data in and out of your company, a process over which you have little or no control. The ubiquitous USB stick is now capable of carrying gigabytes of information - enough to copy entire databases. All these devices, unless monitored, are capable of spreading malware and leaking data - and usually without malice.

Employees are now wired individuals - online at home, on the way in and at work - and the distinction between places is blurring. Their behaviour and the technology they adopt are developing faster than most businesses can implement policies to control them. So what can you do?

The answer in enlightened information-security circles is not to control it but embrace it - with discretion. Mobile working and Web 2.0 applications can bring competitive advantage. Smart workers expect to use smart tools - so don't deprive them. Work with your HR director, CIO, CISO and IT director on ways to implement an acceptable usage policy (AUP) that takes account of new trends, and ensure that someone in your company is put in charge of keeping it up to date. And demand that your CIO or CISO makes it impossible for data to leak through USB sticks. It's not difficult.

The trick is to give your employees the freedom to use technology securely and in a way that benefits the company. Monitoring staff should, in theory, be easy, but less straightforward is managing the threat from outside - the hacker. The cliche that hackers no longer seek glory or notoriety among their peers is true - but that can make them more dangerous. Many of them are now working for organised criminal gangs in Russia, eastern Europe, China and the US. Those who once worked alone have realised that crime pays best when working anonymously and with others - for very smart people.

It's hard to quantify how much the cyber-crime industry is worth. A 2005 news story put it at $105bn - more than the illegal trade in drugs worldwide. Many experts think this unlikely, but as banks and others are reluctant to admit to cyber crime losses, the true figure remains elusive.

Little serious research has been done on its scope and nature. However, An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants by researchers Jason Franklin et al at Berkeley and Carnegie Mellon Universities (November 2007) throws some light. It provides the first dispassionate study into the minds and methods of the cyber underground - and hints at the true cost to individuals and businesses.

Most intriguing is the way that cyber-criminals trade with each other, and the surprisingly efficient nature of the e-black economy. Parcels of stolen accounts and credit card details are offered on underground auction trading sites - where criminals even rate each other's integrity. Most people and businesses never know that their details have been stolen and traded. Bank accounts sometimes get cleaned out immediately, as in popular imagination but, mostly, criminals skim small amounts from millions of accounts over time. The nature of business accounts makes it harder to track such activity.

There's no better way to get stuff out of a company than by getting someone in. Criminal gangs are now playing the long game: some of those programmers, bank tellers, marketers and salespeople you employ could turn out to be working for the mob. It's hardly a new approach, but the difference is that they can go undetected for years and carry out small attacks on a daily basis. One line of defence is to use the emergent behavioural-analysis systems that, in real time, monitor what your employees are up to and what they are trying to access.

Stealth and targeted attacks form part of the tactics used by today's hackers on the outside. Individuals within companies are singled out, often on the basis of job title, and some are blackmailed into working for criminal gangs. Rogue software can be dropped into your employees' PCs to quietly harvest passwords and access codes and make a note of their bank account details as they check on the state of their overdraft. Hackers can also monitor IM conversations and read company e-mail. Really sophisticated attacks can even hijack what looks like a secure web connection by taking over the browser.

There is also legislation to worry about. Firms that store and process payment-card data are now having to become more secure, thanks to a payment-card industry initiative known as PCI Data Security Standard (PCI DSS). You need a way of keeping customer card data secure, usually through encryption. Nothing in law can as yet force firms to become PCI-compliant, but the stick comes in the form of fines and possible loss of payment facilities from the big card groups. Not good for business.

The real cost, though, is to your brand. Being outed as an insecure company, particularly for financial services, risks reputational damage - as HMRC has discovered. One of the repercussions of the HMRC affair is that US-style legislation may be passed to force any organisation, public or private, to make public any data breach it suffers. This is likely to happen, along with fines for miscreant companies. The current tendency for companies to keep data breaches to themselves unless events oblige them to go public will end and serial offenders will be found out.

Smart managers will be those who don't wait for that legislation. Making your business secure and understanding the dangers to you and your employees is no longer just for the IT guys. It's too important.

- Paul Fisher is editor of MT's sister title SC Magazine

SAFELY DOES IT: STAY AHEAD OF THE HACKERS - AND THE LEGISLATION

Stay informed. Have monthly meetings with your head of information security and ensure they provide a plain-English report on threats, incidents and contingencies every month.

Ask stupid questions. IT people like to hide behind acronyms and jargon - cut to the chase: what do they really mean? Challenge them if they don't provide reassurance.

Don't get hung up on technology or IT terms. This is what you pay your experts to understand; you have a business to run.

Check out your IT security people. Are their qualifications relevant? A degree in information security is a good start; an IT reseller's 'sales shark of the year' award isn't.

Question your IT heads. You need to know that your CSO, CIO and CISO are up to speed with developments. When was the last time they ran checks? Is the vendor they bought from still in business? If not, is the acquirer company keeping the units up to date?

Keep them involved. Include your HR director and legal people in policy decisions involving the use of technology in the office. Knee-jerk reactions against new technology such as Web 2.0 can be counterproductive.

Instigate an acceptable usage policy. If you don't have an AUP, bring one in as soon as possible. If you do, when was it last updated? It's a no-brainer to say employees shouldn't download porn - but are they aware of the latest dangers on the internet?

Tell staff the risks. It isn't just your customers and your business that are at stake. Your employees are at risk personally. If they are compromised while working for you, they may well blame you - and sue.

Protect your data. If you hold customer information, ask your IT people what they have done to ensure it is secure. Being secure is good for business and good for your brand.

Run a security-awareness programme. It may help your defence when a data breach actually happens on your watch.

... But don't rely on it. Your employees will do dumb things to get their jobs done, so you need the technology in place to stop them. The CISO you hired will know what that is.

Don't believe the hype generated by IT security vendors - the situation remains manageable. They gain most from providing over-complex solutions to ignorant CEOs.

DATA BREACHES COST MONEY

New research shows that data breaches in the UK average a loss of £47 per compromised record, while the cost to individual businesses was more than £1.4m, on average. The cost was highest in the financial services sector, at £55 per record lost. The research, commissioned by data-protection company PGP, claims to factor into the results the cost of customer churn and loss of future business.

Source: Ponemon Institute.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Subscribe

Get your essential reading delivered. Subscribe to Management Today