Companies across the world have always preferred not to reveal details of IT security breaches. To do so could create problems ranging from loss of key information, adverse publicity, loss of trust and legal action by customers, to official censure by regulators. All of which can be avoided with a little forethought and a professional attitude to the use of data encryption.
Where once your key information resided on a few desktop PCs in a private office, now the information is spread far and wide. As well as the master copy on the main system, there are often copies in many other computers, some of which are laptops, which are incredibly easy to lose or steal.
In addition, unscrupulous staff or dishonest visitors can copy information from a company’s main systems to a multitude of external storage devices. These include USB flash drives, digital cameras, MP3 players, mobile phones, or even old-fashioned floppy discs. All of which then become vulnerable if subsequently lost, stolen or re-copied.
An effective encryption policy, therefore, needs to encompass every device onto which employees might wish to copy files. It also needs to be transparent to users, so that it can be centrally controlled without any user action being required. And it should be impossible to disable, except by authorised administrators. Ideally it should also have the selective ability to block files from being copied to external devices.
A management walk-through is a great way to assess the possible impact of a security breach. Simply sit a group of technical and non-technical managers around a table and discuss a series of “what-if?” scenarios.
For example, walk through the following scenario. A director of your company attended a conference last week, during which his briefcase was snatched from the back seat of his car. The case contained a laptop computer which held a list of the top 10,000 accounts by revenue. The information was not encrypted. This happened on Friday afternoon but it is now Monday morning and the loss has only just been reported.
Among the topics that you will need to discuss are:
- How will you ensure that those 10,000 affected companies are discreetly informed about the breach as soon as possible?
- Who will brief the regulatory authorities and your company’s legal team?
- What will you tell journalists from the national press and broadcast media, once they get hold of the story and want to hear your version of events?
- Who is officially responsible for the security of your company’s information, and what will they be doing to prevent such an event happening again?
- Who could make use of the stolen information, and how? Can you put systems in place to help detect instances of this taking place?
- What action will the marketing department take to help regain the trust of customers who have taken their accounts elsewhere?
- Which laws and regulations has the organisation broken, and in which countries? For example, the UK’s Data Protection Act requires companies to take care of customers’ personal information.
The trust of one’s customers and investors is among the greatest assets that your organisation owns. Lose it, and you are well on your way to being out of business. But failing to protect key information and data, or to introduce unnecessary delays in making losses public, could make such a situation a reality. Which is why full disc encryption should be mandatory to all organisations, no matter what size.
Pointsec will present “A five point plan for protecting and managing mobile devices” at 10am on 26 April at Infosecurity Europe. Pointsec will be exhibiting at stand 402