Dam data leakage at source: how unified encryption management (UEM) is changing the threat landscape.

Computer networks today have become increasingly open, with greater reliance on IP. More and more staff are accessing a greater number of applications and databases, while remote access has grown hugely. Staff are accessing applications not just from within the office, but from various locations outside the office. These teleworkers and day extenders are significantly increasing remote access, as are mobile workers, including those using wireless hotspots. Company networks are also being remotely accessed by suppliers and third parties.

Our use of email has mushroomed to the point where it pretty much inconceivable to run many businesses without it. The number and size of attachments has also grown very significantly. This openness and our enthusiasm for email, while it can make life easier and improves productivity, has many disadvantages.

One of the main ones is the greater difficulty we have in protecting the confidentiality of information. The opportunities for unauthorised viewing of data, data theft and data leakage have increased tremendously and organisations are now having to look urgently at managing this problem.

What data is at risk?

The increased standardisation on IP can mean that all confidential data which is held on a network is at risk and needs to be protected from unauthorised access, both inside and outside an organisation.

Internally, there are risks from employees and skilled IT staff. It may be non-malicious, with people wanting to find out other people's salaries. Or it may be staff accessing confidential company data, including personnel files, company plans and financial information.

It could also be malicious, such as viewing and stealing customer information or company confidential information (e.g. research) to pass on to others. It may be employees who feel the need, for whatever reason, to leak company or government information.

Employees can also inadvertently expose confidential data to the outside world through the use of unprotected wireless, unprotected remote access or careless laptop use. Valuable sales information, for example, could be seen by competitors. Confidential information about customers or the public could be leaked.

The large number of high profile cases of data leakage highlights this problem. Interestingly as mobile and remote workers increasingly store highly confidential personal information, such as passwords and bank details on company equipment, they are also at significant personal risk.

Another high risk area is the use of USBs and mobile devices such as PDAs and Blackberrys for the storage of confidential information. The very mobility of these devices renders them vulnerable to accidental loss or theft. Additionally, failure to manage these devices means that they are often the conduit for data theft and leakage from organisations.

Data is also at risk of exposure from people outside an organisation. Industrial espionage is well known and 'spies' might be after valuable R & D information or other information which will give them a competitive edge, such as contract tendering details.

Externally, companies are at risk from hackers or others who might want to find something detrimental on an organisation which they can publicise. Criminals, wanting to use information (particularly financial) to carry out crimes, are also a significantly increasing threat.

The large sums available from these types of crimes, the low risks of detection and punishment, and the ease of carrying them out has made this much more attractive than many other areas of crime. It will continue to grow at an increasing pace over the next few years.

Data leakage is a very important issue, not least because companies have a legal requirement, under The Data Protection Act, alongside other statutory requirements, to secure information on their employees and on their customers. Even if information held on a system has come from a third party such as a supplier, companies are still liable to protect that information from being seen by unauthorised people. The impact of negligent data loss on their reputation is also now moving organisations to focus on an area that has traditionally been ignored.

According to the Department of Trade and Industry (DTI) Information Security Breaches Survey 2006, only one company in seven actually encrypts data on hard disks.

Recently, a laptop containing salary details, addresses, dates of birth, national insurance and phone numbers of some 26,000 employees went missing from a printing firm, which was writing to M & S workers about pension changes. Identity theft is the possible result of such losses. Also, at Worcestershire County Council, sensitive information about more than 16,000 council workers was put at risk as the result of another laptop theft.

At 28 police forces around the country, the instance of laptop thefts increased on average by 6% in 2006, with the Metropolitan police being the worst area for thefts with some 6576 laptops stolen. Devon and Cornwall area had a 45% increase in laptop thefts, rising from 276 to 401; and Bedfordshire saw a 35% increase. These figures only include those laptops stolen while being used outside the office or home and excludes the significant numbers lost on taxis, trains, etc. (1)

You only have to use email on the Internet, and receive 'phishing' emails, to be aware of the many criminals out there today who want to get access to your personal data so they can steal from you. If your company is the repository for sensitive personal data, then it is more important today than ever to protect it. If you carry out credit card transactions and hold information on company networks, then you have to comply with the latest PCI (Payment Card Industry) data security standard by next year, or you may be financially penalised.

Is current protection adequate?

We have used various methods up until now to protect company data, but they are no longer enough in themselves, because of the increased risks we face.

Firewalls and access control are commonly used and networks may be protected by multiple layers of firewalls. However, computers being used by staff at home to communicate with the office and access information may not have firewall protection. Even if they do, the user may not have enabled the firewall or may not have updated it. And, of course, if access control is inadequate, firewalls will not stop data being read.

Currently, access control may be a simple password, which is generally recognised as an inadequate security mechanism, which may put data at risk. According to the DTI Information Security Survey 2006, the vast majority of companies still rely on weak, static passwords.

Companies may also use more sophisticated means, such as strong two-factor authentication. This involves a password in conjunction with another method of authentication, for logging in. The other method could be a token, but could also include biometrics, smart cards or virtual tokens.

Traditionally, larger companies have relied on the security of mainframe systems to protect key data. However with this company confidential data now routinely accessible from and downloadable onto the network, this protection has significantly diminished.

Regularly reviewing access control lists is another key component in data security, as is managing emails and instant messaging, because unencrypted emails are vulnerable to interception.

These methods are all components in safeguarding data. However, the computing scenario has now changed so much that, on their own, they are unable to cope with the current state of threat.

One strong area of risk is allowing unauthorised (or departed) members of staff to have unmanaged access rights to data, for which they have no valid need. This is a major cause of data leakage. A common failure in larger companies is to terminate the departing user's rights at the last place he/she was located, but neglecting to terminate access rights at previous divisions or locations.

Companies now need to review how the risks to their organisations have changed, with regard to data confidentiality, and assess what the current dangers are. A risk assessment can be carried out and positive action drawn up to protect against the relevant threats

A key part of any programme will be to regularly communicate to staff that data protection is the responsibility of everyone in an organisation, and not just the IT team. It should also be re-iterated that any unauthorised access to or misuse of data by staff, whether it is non-malicious but done without authorisation, or whether it is done with criminal intent, is not acceptable.

High risk areas

* Email

Email is a key area of risk for many organisations. The route for email over the Internet is via servers. Sending unencrypted emails is the equivalent of sending postcards by ordinary mail. They are easy to intercept and read, without the sender or intended recipient being any the wiser. There are actually companies whose business it is to use key word searching to find (to order) information for interested businesses.

The solution is to use email encryption which enables you to secure the communication and restrict read access to the named recipient only. There are a number of ways of carrying out email encryption which don't impact the business.