Block Data Leakage at the Source
by Ian Kilpatrick - Chairman Wick Hill Group - Monday, 29 October 2007.
Companies now need to review how the risks to their organisations have changed, with regard to data confidentiality, and assess what the current dangers are. A risk assessment can be carried out and positive action drawn up to protect against the relevant threats. A key part of any programme will be to regularly communicate to staff that data protection is the responsibility of everyone in an organisation, and not just the IT team. It should also be re-iterated that any unauthorised access to or misuse of data by staff, whether it is non-malicious but done without authorisation, or whether it is done with criminal intent, is not acceptable.

High risk areas


Email is a key area of risk for many organisations. The route for email over the Internet is via servers. Sending unencrypted emails is the equivalent of sending postcards by ordinary mail. They are easy to intercept and read, without the sender or intended recipient being any the wiser. There are actually companies whose business it is to use key word searching to find (to order) information for interested businesses.

The solution is to use email encryption which enables you to secure the communication and restrict read access to the named recipient only. There are a number of ways of carrying out email encryption which don’t impact the business. For example, encryption specialist Utimaco has a system that enables you to send email as encrypted PDFs, readable by the recipient using a password. Other systems operate around PKI and the use of public and private keys. The common thread is that confidential information can be freely sent over the Internet, with the data secured by encryption.

If you’re emailing remotely, then VPNs can also have an important role to play. This is because VPN encryption will protect the confidentiality of your emails. This applies to both SSL and IPSec VPNs. So companies can require the use of VPNs by employees picking up email remotely. Similarly, VPNs use can be enforced for wireless users. If you don’t want to encrypt all emails, you can just make sure you encrypt confidential emails. Encryption is also a good idea for confidential internal emails. As discussed earlier, the curiosity of some employees can get the better of them. Most administrators have access to email. Or access to internal systems may be gained by outsiders if access control is not secure enough.

Remote and laptop use

The DTI Survey 2006 found that 60% of companies that allow remote access do not encrypt their transmissions and that businesses that allow remote access are more likely to have their networks penetrated. Security is a particular risk when people are working away from the office either at home or while travelling. All remote access to head office applications should be done over encrypted VPNs (either IPsec or SSL) which as already mentioned, will protect data confidentiality.

Laptops are particularly at risk of theft or loss, disappearing from employees’ homes, cars, hotels, etc., etc. The cases of laptop theft quoted earlier, which exposed personal data, would not have been a problem if the companies concerned had encrypted the laptop hard disk. Thieves would have been unable to decipher the information on the laptops.


Wireless computing is a particularly risky area, whether used in or away from the office. Without proper protection, using wireless is like broadcasting in open air for anyone to see. The original wireless security standard, WEP, is flawed and unreliable. The world record for cracking WEP, set in April 2007, currently stands at 3 seconds. WEP’s vulnerability was demonstrated by recent problems at TJX, the parent company of TK Maxx, where the biggest loss of credit card data in history took place. Hackers stole 45 million customer records from the TK Maxx parent company, by breaking into the company’s wireless LAN. WEP had been used to secure the wireless network but WEP is one of the weakest ways of securing wireless and it didn’t stand up to the attack. If the customer records had been securely encrypted, the customer data would have been safeguarded.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th