Protect critical information: think beyond the hacker

(07/01/2008)

This year’s Gartner report states that IT security over-protects the wrong assets, over-reacts to the unexpected and over-spends. Security 3.0 is here; a clearer eyed approach to risk management that applies resources appropriately and moves away from the ‘bolting on’ that’s ruled our approach to security for too long.

Businesses and the UK Government really need to start asking themselves where the real IT security threats lie. Repeatedly we hear of threats relating to people hacking into networks and Hollywood reinforces this fear - just look at the latest Die Hard movie. Of course, it is important to focus our attention on the issue of network hacking, but this is not the complete picture in the security world.

The reality is that hacking is a complex process and requires intricate timing. After all, how great is the chance of a hacker intercepting information at the very time you are sending it over the internet? And how likely is it he or she will know what network and location you are logging on from, and the very second that will provide the window of opportunity to intercept that data?

Of course this is a possibility and cyber criminals are evolving with the security developers, but a bigger threat comes from mobile devices; data theft from a mobile device left in a taxi or on the tube is an easier target and has the potential to leak much more information.

Security budgets are set to rise by 9.3 percent in 2007 , but they still all too often overlook the risks associated with the loss of data; large chunks go towards keeping the hackers at bay. Such near-sighted behaviour neglects the threat against the actual data residing on mobile devices outside the security perimeter. Does your security policy calculate the risk associated with loss of data from outside? Probably not, but it should!

It would be ridiculous to suggest that we take all our spending out of secure connections and firewalls, but if we offset the actual risk involved you have to look a long way to offset the ratio. Security spend must be considered and all end points must be evaluated for security weaknesses. Perhaps it is time to reconsider our priorities and spend a little more on mobile data security?

We need to start making investments based on risk calculation. The nature of IT attacks has changed in recent years. Cyber-criminals are evolving to ever increasingly, ethically compromised ‘super-beings’. Attacks are more targeted, aimed at diverting specific data for the purpose of harming businesses or individuals. Cyber space has become a vicious, crime riddled entity and intelligence is constantly changing. As such, security budgets need to adopt a pragmatic approach and change with the threats. Do the Army still use fencing swords during combat?

The likelihood of someone leaving an unencrypted mobile device such as a USB or laptop on the London underground is becoming a far more serious threat in recent years – just look at the recent incidents involving Pfizer and Monster.com. In a recent survey, SafeBoot found that nearly a quarter of office workers surveyed had lost their laptop or had it stolen, with nearly one in four of these having lost it more than once. A shocking statistic that really drives home the security risk associated with unencrypted data.

An employee taking a USB hard disk home with 60mb of sensitive data on it involves more risk than working without security offsite. The Deloitte 2006 Global Security Survey found that 84 per cent of businesses interviewed have had to deal with unauthorised access to business data. In 18 per cent of cases customer details were also leaked. This creates massive costs to the business both in monetary and reputation value, while also it leaves individuals in an extremely vulnerable situation.

As such, safeguarding information on all kinds of data media should be placed higher on the agenda. Businesses should realise that data is the nucleus of their operations and therefore should be treated as such.

Legislation

Perhaps the UK lags behind the leaders in this area (the US and Australia) due to its lack of a holistic approach to security and reporting of data security breaches.

In the UK, if your bank, local authority or online food shop have their servers hacked it is unlikely that you will ever find out. There is no law making it mandatory to report such incidents and criminals operating in this way are likely to be after personal details for the purpose of fraud, leaving individuals at huge risk.

Without the legal requirement to report it is more than likely a company will try to get away with it remaining a secret. The damage to a company’s reputation and share price can be irreparable.

We need to look to the US; since 2003 Californian law has stipulated that all companies must report identity theft and inform individuals of the fact that their personal data has been stolen or lost. Other states have followed in the footprints.

Finally, in the UK noise is being made about implementing a similar law. The House of Lords Select Committee on Science and Technology has started discussing internet security and disclosure of breaches. It has strongly suggested the need for a data security breach notification law, arguing it to be among the most important advances the UK could make in promoting internet security.

This not only has the effect of making everyone feel safer, creates more transparency and will ensure a more bird’s eye view of the security picture. Perhaps this will lead to a reprioritisation of IT spend.

Encryption

So what is the answer? Of course there is never a simple solution for a start, but holistic security policies are a start. Organisations need to look beyond the firewall, VPN and anti-virus and evaluate their end-point security. It’s important to remember that the business transcends the firewall; you need to think about PDAs, USBs and other mobile devices.

You must ensure these are secure by using robust, multi-layer security such as AAA, biometrics and encryption. The crux of the issue is that if data is encrypted, no matter what happens business critical information is secure. Moreover, data encryption goes beyond the mobile environment. Central network resources should also be encrypted to ensure hackers breaching an organisation’s perimeter security can’t acquire and abuse confidential information.

The simple message is that prevention is better than a cure. Rather than having your business hitting the front pages for the wrong reasons take preventative steps to keep your critical data safe.

SafeBoot is exhibiting at Infosecurity Europe 2008, on the 22nd – 24th April 2008 in the Grand Hall, Olympia, www.infosec.co.uk

Related topics:  Data management and data security   Encryption   Knowledgebase   Legislation   Network Security   Security management and policies   Security threats and vulnerabilities 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources