UK ADDRESSING DATA THEFT How do we tackle data theft? - 27/02/2007 - Electronics Weekly
How do we tackle data theft?
USB sticks are very portable, making it easy to discreetly remove data from the work premises. Even more of a risk are cameras and MP3 players, which can effectively hold huge amounts of data and files that can be extracted from the network in minutes. What’s more, carrying a music player out of a work building attracts even less attention as a genuine personal accessory.
Indeed ‘pod-slurping’ as this latest threat is called where a computer programme is used to download vast amounts of corporate data to an iPod in a matter of minutes, is in its infancy but cannot be ignored as a serious risk for companies.
Risk of data theft
Clearly there are many technology devices available today that make data theft easier. There have been a number of instances over the years that have shown a boom in trading information obtained by deception. A number of organisations have been at risk from employees stealing personal details of bank accounts, tax returns and mortgage payments and selling this valuable data to competitors. Trading in such information can pose a huge threat to the business.
There have even been examples of some companies paying cleaners a fixed amount to download information on USB sticks, on the basis that at least a few of the sticks will contain useful data. Several recent high profile court cases have detailed where people are making a living by stealing personal data and selling it on by hacking into enterprise systems.
Accidental risk
These are all examples of malicious data theft, but the accidental loss of information is also of high risk to many companies. Some organisations provide employees with memory sticks to enable them to transport data – perhaps between work and home. Again, this may pose a potential risk if the USB stick contains sensitive company or customer information and is lost.
It can be argued that the risks are only as great as the possibility of someone losing the memory stick. Yet this obviously happens more often than one would suppose. Transport for London’s lost property office covers two entire floors beneath Baker Street Tube station and claims that it stores up to 40,000 forgotten items – iPods, phones and BlackBerrys – at any one time.
Identity theft on the increase
For the individual as well, data protection is becoming of increasing concern. Identity theft at the level closest to home occurs with personal details thrown away in discarded post. At a higher level is the potential risk that a system like the new NHS national patient record system highlights.
The new system will be loaded with patient data, whether the patient wants it or not. Indeed, the British Medical Association has expressed the view that the government should get the explicit permission of patients before transferring information to a central database.
With access to the system potentially by over 250,000 people, how secure will the data be? Clearly we cannot simply rely on personal morality to protect data, since many employees do not consider taking things from the workplace as stealing. It only takes a disgruntled or dishonest employee to expose an enterprise’s security weakness as they exploit data for their own gain.
Breaching copyright
Inbound data can also be a problem. Employees transferring files from home on a mobile device may not be aware there is also a security risk – possibly a Trojan file – that they inadvertently introduce to the corporate network. Also files transferred could include breach of copyright – such as music files or pirated software – posing a potential liability issue. In addition, the threat of litigation to an organisation that has lost personal information about an individual is driving organisations to think seriously about their approach to securing data.
Many call centres and government departments where sensitive information is accessed have taken to banning mobile devices. There have even been extreme examples noted where companies/organisations have poured superglue into USB ports to permanently disable them.
Addressing the security issues
Although these may appear to be drastic measures, they do highlight the need to secure data within the enterprise. Some of the big players in the IT industry, such as Microsoft, have recently entered the security arena.
Most notable is the launch of Microsoft’s new operating system Windows Vista which includes many new security features. This has certainly raised the profile of data security but there are also other specialist players in the market.
A port control solution is designed to secure a desktop or laptop computer from the introduction of unauthorised data (including software, music and graphical images), and from the accidental or malicious leakage of data via Plug and Play devices such as removable disk drives, MP3 players, and printers. Some of these solutions can even be managed through Active Directory, enabling companies to leverage existing IT investment.
These type of solutions give back control of data security to the ‘business’ so that it can be controlled centrally, enforcing the organisations’ policies on the end users. Groups of users can be set up on the system, so that each group is subject to the most appropriate level of security – for example a finance group may be able to access some data via a USB port, while a support department may never need to use data from the network and so the USB ports are effectively ‘locked down’.
Safeguarding data with encryption
There are also disk encryption solutions on the market which protect data on a computer’s hard disk. Again, the big IT players already provide some encryption software, although not yet widely adopted.
Full disk encryption transparently encrypts a computer's entire hard disk, automatically encrypting and decrypting data on the fly so that applications can be used as normal. If an unauthorised user attempts to access the hard drive directly, without going through the User Authentication process, the data remains encrypted and unusable. If the hard drive is later disposed of, any data it contains is unintelligible, even if specialist data recovery tools are used. It also provides removable media encryption, to protect data in transit on mobile devices such as USB memory sticks and floppy disks.
The next logical step
Fortunately as we have entered the digital world, so security of data has started to become of higher priority for organisations. The ability to store huge amounts of data digitally has brought many advantages in terms of storage capability and speed and ease of access. Now protection and security are the next logical steps and happily there are proven solutions available in the market that address the issues without resorting to superglue.
David Holman is CEO of BeCrypt
For more see Infosecurity Europe 2007 on 24th–26th April 2007at
Posts
No comments:
Post a Comment