Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

A Review Of Data Breaches and What Can Be Done

InfoSecurity Europe : 03 March, 2010  (Special Report)
Martyn Smith of Logically Secure examines data breaches in both the public and private sector with further information on how such lapses which lead to private information being compromised can be prevented
See our events guide listing for more details

In the modern business world, information is king. It is the jewel in the crown of every enterprise, defining what an organization does, providing the means to undertake the business and is often the key output or commodity of the company. So the question begs; why are some companies fundamentally lax with their information? More importantly, why are they so fundamentally lax about protecting my personal information? And what can be done to correct this apparent lack of understanding and awareness?

The government has, in recent years, continued to bemuse many of us with a catalogue of information security blunders followed by either a knee-jerk response or a lengthy study. Take the measures put into place following the loss of a MOD laptop containing the personal details of thousands of military recruits, which were to effectively freeze the movement of all laptops until they had been encrypted. Why weren't they encrypted in the first place I hear you all cry? But to be fair, many of the laptops affected were not required to be encrypted by the policy in force at the time. Besides, is your laptop encrypted? If the answer is yes, then you and I are in a minority.

In 2009 a Home Office memory stick containing around 300,000 personal records was lost by a contractor, resulting in the company being fired from its position within the department. Yet had they actually done anything reprehensible beyond the act of losing the device, which in all honesty could happen to any of us? Experience tells me they probably had not and but for circumstance the fault could have lain with any other employee within the Home Office. You see, short of handcuffing it to the carrier's wrist (keep an eye on Government policy, and remember I said it first) it is difficult to guarantee against loss of a valuable data device if the business needs it to travel, particularly if the business in question has no process for controlling or managing that movement; or worse, where it has a process that is routinely ignored because it has no support from upper management. The apparent failure in both the MOD and the Home Office cases was in fundamental policy enforcement, neglecting to educate staff in the basics of information and media security, and the lack of workable processes within the business to limit the impact of a loss, by having a strategy for rendering the data unreadable in the event of a loss; yes, I'm talking about encryption.

The Government is not alone; according to a 2009 survey of 615 public and private sector organisations in the US by The Ponemon Institute, 12 per cent admitted they were affected by data loss incidents over the previous year. Although the poll was commissioned by a supplier of encryption products, I suspect no one will be surprised to hear that one third of the firms unaffected by a data loss incident had introduced an enterprise-wide encryption policy. Note they were unaffected; that is not to say they didn't have an incident, merely that it had no effect on them. So when it comes to choosing a supply chain partner, or outsourcing some element of your business to whom would you prefer to go? The ones who reported a loss, the ones who didn't report a loss or the ones whose loss had no effect on their business output? My money is with the latter, as I am sure yours is.

Of course concerns regarding data security go deeper than just loss in transit. Data is also at risk within the corporate infrastructure if there is insufficient protection afforded it; and no, I'm not just talking about a firewall. The media industry, with its move towards greater online access to music, video and computer games, has experienced many incidents of data loss often in the form of piracy of their material ahead of official release. So much so that there is a real drive towards securing pre-release material using techniques that would not be out of place in a Le Carre novel, and backed by the threat of legal action. Online content, by its very nature, needs to be accessible; yet once it is accessible to the world at large it is, for all security purposes, compromised. Once the latest blockbuster film, or hit album is released it becomes fair game for the media pirates and most of the media industry takes the view that the critical element is to be the first to make material available. It is the early weeks of public access that generate the most interest; if the pirates are first in the marketplace it has a marked effect on sales revenue when the genuine article arrives later.

In 2005 Coldplay's album, X&Y, was leaked to the internet a week ahead of its European release and within minutes the tracks were being downloaded. All this despite efforts by their record label EMI to prevent leaks, including non-disclosure agreements with reviewers, technical sweeps of preview events, searches of employees at CD pressing plants and the pre-release album going under a pseudonym. In their praise of EMI's efforts, the British Phonographic Industry told the Guardian newspaper at the time 'The prevention rather than cure mantra is absolutely key for us...."

Each pre-release undergoes a repeat of these types of measures, with increasing security demands on outsourcing sub-contractors - CD pressing, cover artwork, digital mastering studio, the list goes on. Yet the cost is only palatable because of the huge profit generated by the release of new material. Without comparable profit margins such measures are not only unpalatable, but difficult to justify.

So the answer according to the BPI is to prevent rather than prosecute if possible. Prevention within the parent organization is achievable, given some time, expertise and money. Establishing policies that serve the needs of the business (given that the needs of the business require information to be secure) means that security and business serve each other - which is exactly how it should be. But policies have little effect if there is no appetite for them at executive and board level. And the same is true of all other measures, whether procedural, technical, personnel or physical barriers; without support from the top no one will police them or adhere to them. A big enough problem for any organization without factoring in their outsourced services; where is the value of investment in sound security policies and practices when you have little possibility of enforcing, or confirming, the same degree of diligence in your sub-contractors?

Industry as a whole, not just the security industry, has a need for a means of mandating simple, manageable and scalable practices that can be passed between companies and organizations which enable all parties to understand each others' security position. This means a system that affords verification between those parties without the need for protracted contractual negotiation or intrusive validation by the contracting company, or worse still a reliance wholly on trust. Trust is the absence of a control measure!

Such a system could implement the fundamentals of information security across a whole enterprise, in staged implementations, allowing organisations of all sizes to grow their security incrementally in line with their business needs rather than trying to meet all the requirements of something like ISO 27001. Companies clearly understand the value of their information and the impact a loss will have on their business, which means they should also understand the level of investment required. Information security should not be left to chance, but many organisations fail to implement it for simplest of reasons; first they do not recognise the need to have protection, as the gravity of their situation is often hidden from the eyes of many companies. Second, they don't really understand how it can be achieved, sadly falling back on the adage "I know we're safe, we have a firewall." Possession of a firewall is a laudable thing, especially when it's correctly configured, but of limited value if your employees bring their personal MP3 players from home and plug them into the corporate network and download files that they then carry out of the door. Now your files are uncontrolled, unencrypted and as liable to loss as any high profile Government laptop; although, arguably, a personal MP3 player would be more diligently looked after.

And what about those out-sourcing companies mentioned earlier? How do you check that they are secure to a standard you would want before entrusting your precious information to them? With a scheme able to show what measures must be in place to achieve a given degree of security assurance, it would be a simple matter to urge, encourage or insist that any out-sourcing is undertaken by an organisation whose security implementation is known and understood, and is of a standard equivalent or greater than that of the principle organisation. Complete security? No, but a lot of steps along the way; plus some peace of mind.

Certified Digital Security is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th - 29th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo