Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Security loopholes that aggravate data loss incidents

Overtis Systems : 17 November, 2009  (Technical Article)
Overtis identifies the five top loopholes which contribute to data leakage and suggests how companies can tie them off
Overtis has revealed data losses for 2009 have almost doubled compared to the previous year, proving that common errors are being repeated. There were 415 losses reported to the Information Commissioner's Office (ICO) from October 2008 to October 2009. This compares to 277 from November 2007 to October 2008 giving a total of 692 data losses since the HMRC debacle. The figures reveal thousands of data losses are reoccurring year-on-year. Many organisations are failing to monitor how data is manipulated, apply end-to-end encryption or address data leakage vectors. As a result, data is being repeatedly lost, stolen or distributed in error.

Data losses over the past year have predominantly been reported by commercial enterprises. Of the 692 data breaches reported to the ICO since 2007, the highest number (205) were in the private sector. Corporate data losses were predominantly due to either theft (67) or disclosure in error (60). NHS data breaches came a close second with 201 reported breaches. Aside from commercial and health sector data breaches, losses have also been reported from government and charitable sectors. The main causes of data loss were stolen data/hardware (225), data disclosed in error (160), and lost data/hardware (166).

High profile incidents during 2009 include the loss of: 43,000 child records by Wigan Council; 36,800 driver records by Repair Management Services in Blackburn; 26,000 customer records by Casino operators London Clubs International Ltd; 20,000 patient records by the Royal Free Hampstead NHS Trust; and, 6,360 prisoner records by the NHS of Central Lancashire. These losses will affect the reputations and operating efficiency of these organisations, not to mention the individuals whose data was compromised.

To help ensure data losses don't continue unabated in 2010, Overtis has named and shamed the top five loopholes it believes organisations commonly overlook:

1 Inevitable errors - the vast majority of data loss is accidental. Frequent reports refer to unencrypted data which is exported onto USB keys, CDs, or laptops and is then lost. Equally common are user errors which see documents saved to the wrong directory or emailed to the wrong recipient. To safeguard against these scenarios, end-to-end encryption should be used at the point of creation ensuring information is accessed, stored or transmitted in a protected format.

2 Mobile menace - the PC network may be locked down but have you applied the same strict security policy to mobile devices? Is your information protection solution capable of applying the same rulesets used on your network to mobile phones and PDAs? Consider whether you will allow individuals to use their own smartphones and if so how you will protect any work-related data they may receive.

3 Information flows - many organisations try to plug the usual data leakage vectors, such as file copying to removable devices, but forget about more mundane channels. Export over the Internet to webmail or social networking sites often goes unchallenged. Similarly application functions (cut, copy, paste, rename, print etc) are often given free reign. It is now possible to specify which of these actions can be carried out on a document-by-document and end user basis.

4 Quick exits - most information walks out the front door. Organisations invest budget in securing electronic data but do little to protect information in printed form. Hard copy as well as electronic data can now be protected by endpoint security systems which are integrated with physical access control, CCTV and RFID systems.

5 The unsuspected - system administrators are in a privileged position. It is relatively simple for them to tamper with information and remove any evidence. Advanced information protection solutions can record administrator activity and ensure this complies with the data protection policy.

To tackle the threat of data loss in 2010, Overtis recommends UK organisations adopt a security policy which addresses the five loopholes identified above. To prevent a breach, the policy should specify the way information is accessed, altered or shared over numerous platforms and devices. Should a breach occur, the information and the circumstances surrounding its loss need to be identified. Evidence may include authentication sessions, screenshots capturing user activity, and CCTV footage which combine to form a comprehensive audit trail.

"Data losses are continuing to occur at an unacceptable rate not because the security isn't in place but because these systems frequently interfere with workflow. Technology must be combined with procedure to allow the organisation to function without disruption," said Ed Macnair, CEO, Overtis. "Enterprise Information Protection, utilising an endpoint-based solution such as VigilancePro, takes a minimal impact approach, monitoring information access, advising the user on acceptable use and automatically preventing leakage through error or abuse. It's only by applying security holistically in a real-world context that we can hope to reduce and eventually eradicate these data losses."
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo