Embrace information security as your weapon against confidential data loss, says Steve Purdham, CEO of computer security firm SurfControl (www.surfcontrol.com).
Data dilemma
Most organisations now have an umbilical link to the Internet to undertake day-to-day business processes, but dealing with security threats associated with working online is a great cause of concern for company executives. Senior managers are now beginning to recognise that almost all of their sensitive data is stored in electronic format, and that a considerable percentage of it sits within their email systems. The very real threat is that this information is totally unsecured and can be sent from anyone in the company to anyone outside of it at anytime. This is a risk to every company’s sensitive data, whether its customer information, sales forecasts, financial results or details of a top secret new product in the early stages of development. This problem is confounded by ever evolving external attacks such as hacks, spyware and phishing, which is why the implementation of a comprehensive risk management strategy is no longer a luxury – it’s essential.
Leaking data – why risk it?
Confidential data leakage can not only cause irreparable harm to a company’s reputation and damage investor confidence, but could also lead to massive fines and even criminal convictions. Yet it is shockingly easy for employees to accidentally, without intention or malice, leak confidential information via email. A recent SurfControl survey of UK businesses found that 74pc of businesses acknowledged financial losses due to such security breaches. Moreover, 84pc of all confidential data loss is generated by an organisation’s own internal staff and the majority of that is due to accidental cases of misuse rather than malicious cases of abuse.
The power of email cannot be underestimated. At the click of a button one employee can devastate the integrity of a company’s reputation and brand, or even ruin an individual’s life. Just last month an employee at Palm Beach County Health Department in the US, accidentally emailed 800 medical staff the complete records of 4,500 patients diagnosed with AIDS and another 2,000 that were HIV-positive. In addition, hundreds of leaked internal memos containing sensitive information relating to organisations throughout the world can be accessed simply by visiting websites such as ‘Internalmemos.com’.
Back in the UK, the City has also reported a rise in employees purposely using email and Instant Messaging (IM) technology to leak commercially sensitive information about the organisation free from detection. This is especially prominent during merger and acquisition talks, when the confidentiality of information can mean success or failure in a take-over. A report by Bourne Research revealed that half of those working for UK investment banks now use IM because ‘its real time’ nature makes it ideal for exchanging information in informal networks spanning different continents and time zones. However public IM is not secure and is extremely difficult to monitor, making it a breeding ground for abuse and the perfect medium through which sensitive data can be leaked.
However, it is not just internal threats like these that must be mitigated. Organisations need to be aware of increasingly sophisticated malicious attacks designed to extract individual and corporate data. For example, spyware is now being used by politically or financially motivated hackers to monitor how an organisation’s network is laid out and where confidential information is located and key loggers are constantly working to steal passwords and access restricted or personal data. In addition, the transmission of sensitive information over standard email, even between appropriate personnel, can put a company at risk as it is not secured and can be accessed by hackers or disgruntled employees.
Security – boardroom issue
The days of not acknowledging the Information Security risks of inappropriate material that is likely to be travelling over the corporate network are long gone and the ramifications of failing to protect sensitive data cannot be underestimated. All in all, the Department of Trade and Industry’s 2004 Information Security Breaches Survey puts the price of this threat at several billion pounds: The average cost of an incident is £12,000 though the risk is also that a single event might have calamitous consequences. Senior managers need to wake up to the fact that everything their employees read, send or receive over the company network contains a threat to the business. They are no longer able to turn a blind eye to employees’ email and Internet activity in the belief that what they don’t know won’t hurt them.
It is a disturbing truth, but by simply hitting the send button one employee can destroy years of brand development and generate some extremely damaging front page headlines. Furthermore, lax Information Security (IS) resulting in data leakage can seriously impact upon investor confidence and ultimately this may have a significant negative impact upon the bottom line. Moreover, businesses that fail to take reasonable measures to prevent the leakage of confidential information may be held vicariously liable for breach of confidence if, for example, sensitive client lists are sent to a competitor.
A failure to eradicate practices that threaten the safety of sensitive information may also now lead to massive fines and even criminal convictions. High profile corporate scandals such as those that engulfed both Enron and WorldCom have led in recent years to a number of legislative and regulatory changes, enacted to protect investors by combating corporate crime and improving corporate governance. Even if a business is not a subsidiary of a US company and therefore subject to the requirements of US legislation such as Sarbanes-Oxley, it will be affected by the changing and ever more stringent laws here in the UK. These changes are primarily intended to impose tighter regulation of internal controls over financial reporting and disclosure. They are also designed to strengthen existing privacy laws and compel businesses to develop policies for the monitoring, reporting and archiving of business transactions, which includes email and IM.
The legislation basically means that nothing should be happening within an organisation that it is unaware of, unable to find and unable to act upon. The ability to monitor, observe and report on all data traffic is essential and technology is the only way to do this effectively and implement appropriate protective measures.
Policy, education, technology
To mitigate the many threats to corporate confidential data and to be regarded as an open, transparent and compliant organisation, companies should adopt a three pronged approach to IS by integrating policy, education and technology. Many businesses are already filtering incoming emails to prevent the risks of spam and viruses from infiltrating the company network, but this is simply scratching the surface of the IS threats that we are faced with today. SurfControl recently found that 24 per cent of corporate email users claim to have received confidential information from sources at other companies, illustrating the inadequacy of the measures that are currently in place to protect against data leakage. As part of good governance businesses must now monitor all internal and outgoing traffic as well. Leading filtering technology also enables organisations to customise and define sensitive content in line with their individual business needs.
A comprehensive risk management strategy will ensure that filtering technology is backed up by an Acceptable Use Policy (AUP) that explicitly outlines how employees should use e-mail and the Internet in the workplace. The policy must inform staff that monitoring will take place and the consequences of a breach, up to and including dismissal. This must be clearly communicated to all workers and backed up with education about relevant security threats and how to deal with them. To be effective, employees need to understand their own roles and responsibilities and how they can contribute to the company’s IS objectives. Importantly, the employer must also show that it is prepared to enforce the AUP whenever a breach occurs, otherwise it is rendered useless.
Both home and mobile working are becoming increasingly common and whilst it provides organisations with much greater flexibility, it also brings with it a raft of potential security problems. As the mobile workforce grows, so does the threat to an organisation’s data as many businesses have little or no control over the ways that employees use their business notebooks on the move. To be fully protected, companies must also ensure that both the AUP and filtering technology is extended to non-office based conduct so that mobile users do not engage in inappropriate online activity.
Emerging threats
As the Internet evolves, so to does the nature of the threats to which users are exposed. Businesses must not operate under the misconception that once a strategy has been implemented the problem will be overcome, as this form of complacency will simply serve to leave it vulnerable as new threats evolve and target the corporate network. In short, having a solution in place that is reactive will always make the business susceptible and by the time the problem has been identified, the damage may well have already been done.
An attitude change is needed by all companies to take responsibility of all internal processes and communications in order to affect good corporate governance, compliance and network security. The CIO, board and IS department must work together to implement the policies, training and technology necessary to protect corporate data. If those at the top fail to take the requisite action they risk suffering a breach of security that could not only damage the company’s brand value and destroy shareholder confidence, but could also end in their own imprisonment.
For more information on this issue download a free copy of awhite paper: Changing Attitudes – A UK White Paper on Corporate Governance from SurfControl: www.surfcontrol.com/go/compliance
Surfcontrol are exhibiting at Infosecurity Europe 2005. Now in its 10th anniversary year, Infosecurity Europe provides an education programme, new products and services, 250 exhibitors and 10,000 visitors. Held on 26 to 28 April in the Grand Hall, Olympia, for IT staff involved in information security.
