Lock up your Data - or you might go to jail

(23/07/2002)

Companies risk falling foul of the law if they fail to protect their clients’ personal data from prying eyes, under newly enforced provisions of the Data Protection Act. Jason Kent of data security specialists Open Seas looks at the issues facing SMEs in our increasingly data-dependent world.

Losing a laptop in the back of a taxi could be more than an embarrassment, if its hard disk turns out to contain confidential information about clients. Under recently enforced provisions of the 1998 Data Protection Act, company directors can face prison if electronically held records fall into the wrong hands.

The ease and speed with which information can now be captured, stored and transmitted has its downside. In the past, when a company’s confidential data was stored in printed form, industrial espionage and theft was a laborious, risky exercise. Getting hold of physical documents usually involved breaking into the premises, copying them was time-consuming and problematic.

Today, when most information is stored electronically, major data theft can be a few mouse clicks away. A recent major survey by Price Waterhouse Coopers on information security breaches found that 44% of UK businesses have suffered at least one malicious security breach in the past year.

For smaller and independent companies, protecting confidential information about clients has to be the most compelling motive for making sure that all electronic systems are guarded against intruders. Apart from the danger of damaging customer confidence if a security breach became public knowledge, the law now obliges all companies to take steps to ensure that any personal information held about clients is adequately secure. The 1998 Data Protection Act has been implemented in phases, and from October 2001 its latest provisions make company directors personally responsible for maintaining the confidentiality of personal information held on clients – and this includes anything stored electronically. The penalties for failing to secure this data can include heavy fines and imprisonment.

Quite apart from these extremes, any business which relies on the integrity of its IT systems and continuous access to data can suffer serious damage when these services are disrupted. According to the Department of Trade and Industry’s Information Security Breaches Survey 2002, the average cost of each serious incident is £30,000, and several companies reported breaches costing more than £500,000.

Most organisations have long been aware of the importance of protecting their networks from illegal external access. However, the majority of computer crime is perpetuated not by criminals hacking in from outside, but by disaffected or opportunistic employees.

According to a study conducted in 2001 by the FBI and the Computer Security Institute, employees and other insiders with legitimate access to business networks account for more than 80% of ‘cyberattacks’. Within an organisation, there tends to be an assumption of trust and despite rules and guidelines, effective security can be woefully lacking.

Outright fraud and malicious hacking may be relatively uncommon, but carelessness is widespread. One relatively new security weak spot in any organisation is the increasingly widespread use of portable computers. While the development of powerful, pick up and go laptops and notebooks has brought about a location-independent working revolution, enabling people to work on the road or at home as effectively as in the office, the downside is the ease with which these highly mobile machines can be lost or stolen. A single poorly protected laptop could, in the worst case scenario, be the key which unlocks an entire corporate network. Short of that, many laptops contain highly confidential data on their own hard disks, enough to cause considerable damage if they fall into the wrong hands.

What solutions exist to allow companies like this to ensure that they comply with the law, and protect their own interests at the same time?

The purpose of passwords is to authenticate the user of a machine, and therefore ensure that the data on its disk is available only to someone who has been authorised to access it. Unfortunately, passwords are a notorious weak point in the cyber-defences surrounding most systems. Information security experts might routinely advise that passwords consist of a lengthy randomised string of letters and numbers, but in the real world most people choose something which is easy to remember. If someone is intent on committing abuse within an organisational network and wants to use another employee’s log-in to cover his own tracks, there is a good chance that the name of his colleague’s partner, dog or children may get him into the system – assuming, that is, that the password wasn’t shouted out on request across an open office. Even without inside knowledge, such passwords are vulnerable to the ‘cracking’ programs and brute force attacks used by hackers. Studies have shown that more than two thirds of employee-generated passwords can be discovered by running simple, easily available programs that try out obvious choices and dictionary words.

Physical protection devices such as smart cards and ‘e-tokens’ - small components which are inserted into the USB port on a PC or laptop – are designed to take the concept of authentication to a new level of security. These access control systems render each PC or laptop immune to external attack, since without the individually programmed device in place the user cannot even boot the machine. They also do not rely on employees following security procedures, as the password is incorporated into the device rather than entered by the user and activated instead by a PIN number. Above all, physical protection devices provide a genuinely location independent security system, working with laptops, PDAs and other portables just as well as with on-site computers.

One of the most important characteristics of a physical protection system is that the devices are unique to individual users. They can be programmed individually, limiting access to certain parts of the company network or particular files and directories on the hard disk of any machine.

For example, some devices allow companies to restrict the installation of unauthorised software. A cyberattack need not be malicious or even deliberate to cause real damage to a corporate network, and some figures suggest that over three quarters of employees have installed programmes without permission. Ranging from humorous animations circulated by email to memory-hungry games, these programmes waste employee time in themselves, risk destabilising the company networks by clashing with legitimate, business-critical applications, and always carry the possibility of introducing a virus – according to the Price Waterhouse Coopers survey, the cause of a third of all serious security incidents. The devices can be programmed to block the installation of any software not on an approved list.

Protection devices can even help control the ubiquitous issue of non-acceptable web browsing or ‘cyber skiving’. While most organisations – 92% of larger companies, according to Price Waterhouse Cooper - allow their employees access to the web for legitimate research purposes, abuse is widespread. Despite the web usage policies set out by 88% of large businesses, a quarter have experienced staff accessing pornographic web sites and 11% have had to discipline employees for excessive web surfing during company time. At the extreme end of the web abuse spectrum, organisations run the risk of laying themselves open to legal action – or at least damage to their corporate reputation – if they fail to prevent employees storing

Related topics:  Security industry 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources