According to the Department of Trade and Industry (DTI) Information Security Breaches Survey 2006, only one company in seven actually encrypts data on hard disks. Recently, a laptop containing salary details, addresses, dates of birth, national insurance and phone numbers of some 26,000 employees went missing from a printing firm, which was writing to M&S workers about pension changes. Identity theft is the possible result of such losses.
You only have to use email on the Internet, and receive ‘phishing’ emails, to be aware of the many criminals out there today who want to get access to your personal data so they can steal from you. If your company is the repository for sensitive personal data, then it is more important today than ever to protect it. If you carry out credit card transactions and hold information on company networks, then you have to comply with the latest PCI (Payment Card Industry) data security standard by next year, or you may be financially penalised.
Is current protection adequate?
We have used various methods up until now to protect company data, but they are no longer enough in themselves, because of the increased risks we face. Firewalls and access control are commonly used and networks may be protected by multiple layers of firewalls. However, computers being used by staff at home to communicate with the office and access information may not have firewall protection. Even if they do, the user may not have enabled the firewall or may not have updated it. And, of course, if access control is inadequate, firewalls will not stop data being read.
Currently, access control may be a simple password, which is generally recognised as an inadequate security mechanism, which may put data at risk. According to the DTI Information Security Survey 2006, the vast majority of companies still rely on weak, static passwords. Companies may also use more sophisticated means, such as strong two-factor authentication. This involves a password in conjunction with another method of authentication, for logging in. The other method could be a token, but could also include biometrics, smart cards or virtual tokens.
Traditionally, larger companies have relied on the security of mainframe systems to protect key data. However with this company confidential data now routinely accessible from and downloadable onto the network, this protection has significantly diminished. Regularly reviewing access control lists is another key component in data security, as is managing emails and instant messaging, because unencrypted emails are vulnerable to interception.
These methods are all components in safeguarding data. However, the computing scenario has now changed so much that, on their own, they are unable to cope with the current state of threat. One strong area of risk is allowing unauthorised (or departed) members of staff to have unmanaged access rights to data, for which they have no valid need. This is a major cause of data leakage. A common failure in larger companies is to terminate the departing user’s rights at the last place he/she was located, but neglecting to terminate access rights at previous divisions or locations.