Winter of Disc Content
(18/01/2008)

November and December 2007 have certainly had a wintry outlook for UK Government departments, and have given much cause for discontent. First, HM Revenue & Customs mislaid CDs with 25 million personal records on them. This was swiftly followed by a number of admissions of other data leaks from Govt. offices, all involving the loss of discs with sensitive content that wasn’t encrypted or protected.

It’s easy for us to tut, shake our heads at the folly of it all, and say “that couldn’t happen to us”. But a November 07 survey of UK IT managers and directors in the public and private sectors showed that a majority of companies are at risk of similar leaks – simply because they don’t have adequate security measures in place.

Risky business

Less than 50% of the survey’s respondents have deployed any form of data encryption, and fewer than 40% have any endpoint security set up on their PCs, laptops and mobile devices.

Despite this, a startling 65% of the IT managers surveyed said they were unlikely to change their IT spending priorities. Yet when asked about their IT security policy, 73% admitted their organisation’s IT policy included data protection guidelines covering the use of USB drives for transporting data.

So a majority of companies surveyed are in exactly the same position as HMRC – they have policies covering data leaks, but don’t have technology to enforce those policies. This puts those companies equally at risk of losing sensitive data, despite their confidence in their own security.
So how should businesses address the issue of data leaks, and what solutions should they consider? Broadly, this means looking at three key issues.

The first is hard disk encryption of laptops, and smart devices such as PDAs, mobile phones and USB devices. Second is auditing and controlling data transfer and access to removable media, for example CDs, USB keys etc. The final issue is the security policy running on the user’s endpoint device – whether PC or laptop. Let’s look at each of these issues in turn.

Encryption matters

Encryption for laptops boils down to two choices: full-disk encryption (FDE) or file-based encryption. The latter is tempting, because Windows XP comes with file-based encryption built. While this means that anything stored in specific folders or directories is encrypted automatically, there is a big security flaw. It relies on you and other users putting files in the encrypted folders themselves.

That’s fine in theory, but do you really want to rely on others to decide what’s sensitive information, and to place it in the right folder? The advantage of full disk encryption is that it automates the process and secures the entire disk, so mobile users don’t have to worry about it – and can’t interfere.

Security in hand

So far, so good – but what about PDAs and smart phones? The key here is a rigorous audit of all the devices being used within the company, and then deploying a single encryption solution to cover as many of the devices as possible. Unauthorised handheld devices should not be allowed to connect to the main network, or to store sensitive data. The solution chosen should again encrypt data automatically with no user intervention.

Stopping disc content

It’s also important to remember that hard disks are only one storage medium on a typical laptop. This brings us to the second area for endpoint security: management and control of data leakage. This means controlling the flow of data onto peripheral devices such as CD, DVD or USB drives and portable storage media, including mp3 players and digital cameras.

The starting point for protection against leaks via these USB devices is to include them in the corporate acceptable usage policy (AUP) and to educate all users on the importance of following policy – and the risks of breaching that policy.

Policies also need to be backed up and enforced by port control solutions, which can automatically block a USB device that does not comply with the security policy, or prevent the transfer of certain files or file types.

At the end(point)

This leads us to the third area of endpoint security: protecting the data on the machine from software threats, such as malicious code.

Effective endpoint security starts with every machine running a firewall and antivirus protection with up-to-date signatures before it is granted a connection to the central network. The endpoint security client should also ensure that the laptop is running the appropriate software patches and includes Virtual Private Networking (VPN) for secure transfer of corporate information back to the network – all managed centrally.

In conclusion, it’s easy to be complacent on the issue of data leaks. Yet it’s also easy to put measures in place that drastically reduce the chance of data leaks happening. Wouldn’t you rather be safe in the knowledge that you’re secured against leaks, than run the risk of losing disc content this winter?