Companies across the world have always preferred not to
reveal details of IT security breaches. To do so could create
problems ranging from loss of key information, adverse publicity,
loss of trust and legal action by customers, to official censure by
regulators. All of which can be avoided with a little forethought
and a professional attitude to the use of data
encryption.
Where once your key information resided on a few desktop PCs in
a private office, now the information is spread far and wide. As
well as the master copy on the main system, there are often copies
in many other computers, some of which are laptops, which are
incredibly easy to lose or steal.
In addition, unscrupulous staff or dishonest visitors can copy
information from a company’s main systems to a multitude of
external storage devices. These include USB flash drives, digital
cameras, MP3 players, mobile phones, or even old-fashioned floppy
discs. All of which then become vulnerable if subsequently lost,
stolen or re-copied.
An effective encryption policy, therefore, needs to encompass
every device onto which employees might wish to copy files. It also
needs to be transparent to users, so that it can be centrally
controlled without any user action being required. And it should
be impossible to disable, except by authorised administrators.
Ideally it should also have the selective ability to block files
from being copied to external devices.
A management walk-through is a great way to assess the possible
impact of a security breach. Simply sit a group of technical and
non-technical managers around a table and discuss a series of
“what-if?” scenarios.
For example, walk through the following scenario. A director of
your company attended a conference last week, during which his
briefcase was snatched from the back seat of his car. The case
contained a laptop computer which held a list of the top 10,000
accounts by revenue. The information was not encrypted. This
happened on Friday afternoon but it is now Monday morning and the
loss has only just been reported.
Among the topics that you will need to discuss are:
- How will you ensure that those 10,000 affected companies are
discreetly informed about the breach as soon as possible?
- Who will brief the regulatory authorities and your company’s
legal team?
- What will you tell journalists from the national press and
broadcast media, once they get hold of the story and want to hear
your version of events?
- Who is officially responsible for the security of your
company’s information, and what will they be doing to prevent such
an event happening again?
- Who could make use of the stolen information, and how? Can you
put systems in place to help detect instances of this taking
place?
- What action will the marketing department take to help regain
the trust of customers who have taken their accounts
elsewhere?
- Which laws and regulations has the organisation broken, and in
which countries? For example, the UK’s Data Protection Act requires
companies to take care of customers’ personal
information.
The trust of one’s customers and investors is among the greatest
assets that your organisation owns. Lose it, and you are well on
your way to being out of business. But failing to protect key
information and data, or to introduce unnecessary delays in making
losses public, could make such a situation a reality. Which is why
full disc encryption should be mandatory to all organisations, no
matter what size.
Pointsec will present “A five point plan for protecting and
managing mobile devices” at 10am on 26 April at Infosecurity
Europe. Pointsec will be exhibiting at stand 402