Currently, access control may be a simple password, which is generally recognised as an inadequate security mechanism, which may put data at risk. According to the DTI Information Security Survey 2006, the vast majority of companies still rely on weak, static passwords. Companies may also use more sophisticated means, such as strong two-factor authentication. This involves a password in conjunction with another method of authentication, for logging in. The other method could be a token, but could also include biometrics, smart cards or virtual tokens.

Traditionally, larger companies have relied on the security of mainframe systems to protect key data. However with this company confidential data now routinely accessible from and downloadable onto the network, this protection has significantly diminished. Regularly reviewing access control lists is another key component in data security, as is managing emails and instant messaging, because unencrypted emails are vulnerable to interception.

These methods are all components in safeguarding data. However, the computing scenario has now changed so much that, on their own, they are unable to cope with the current state of threat. One strong area of risk is allowing unauthorised (or departed) members of staff to have unmanaged access rights to data, for which they have no valid need. This is a major cause of data leakage. A common failure in larger companies is to terminate the departing user’s rights at the last place he/she was located, but neglecting to terminate access rights at previous divisions or locations.


Companies now need to review how the risks to their organisations have changed, with regard to data confidentiality, and assess what the current dangers are. A risk assessment can be carried out and positive action drawn up to protect against the relevant threats. A key part of any programme will be to regularly communicate to staff that data protection is the responsibility of everyone in an organisation, and not just the IT team. It should also be re-iterated that any unauthorised access to or misuse of data by staff, whether it is non-malicious but done without authorisation, or whether it is done with criminal intent, is not acceptable.

High risk areas

Email

Email is a key area of risk for many organisations. The route for email over the Internet is via servers. Sending unencrypted emails is the equivalent of sending postcards by ordinary mail. They are easy to intercept and read, without the sender or intended recipient being any the wiser. There are actually companies whose business it is to use key word searching to find (to order) information for interested businesses.