High risk areas
Email is a key area of risk for many organisations. The route for email over the Internet is via servers. Sending unencrypted emails is the equivalent of sending postcards by ordinary mail. They are easy to intercept and read, without the sender or intended recipient being any the wiser. There are actually companies whose business it is to use key word searching to find (to order) information for interested businesses.
The solution is to use email encryption which enables you to secure the communication and restrict read access to the named recipient only. There are a number of ways of carrying out email encryption which don’t impact the business. For example, encryption specialist Utimaco has a system that enables you to send email as encrypted PDFs, readable by the recipient using a password. Other systems operate around PKI and the use of public and private keys. The common thread is that confidential information can be freely sent over the Internet, with the data secured by encryption.
If you’re emailing remotely, then VPNs can also have an important role to play. This is because VPN encryption will protect the confidentiality of your emails. This applies to both SSL and IPSec VPNs. So companies can require the use of VPNs by employees picking up email remotely. Similarly, VPNs use can be enforced for wireless users. If you don’t want to encrypt all emails, you can just make sure you encrypt confidential emails. Encryption is also a good idea for confidential internal emails. As discussed earlier, the curiosity of some employees can get the better of them. Most administrators have access to email. Or access to internal systems may be gained by outsiders if access control is not secure enough.
Remote and laptop use
The DTI Survey 2006 found that 60% of companies that allow remote access do not encrypt their transmissions and that businesses that allow remote access are more likely to have their networks penetrated. Security is a particular risk when people are working away from the office either at home or while travelling. All remote access to head office applications should be done over encrypted VPNs (either IPsec or SSL) which as already mentioned, will protect data confidentiality.
Laptops are particularly at risk of theft or loss, disappearing from employees’ homes, cars, hotels, etc., etc. The cases of laptop theft quoted earlier, which exposed personal data, would not have been a problem if the companies concerned had encrypted the laptop hard disk. Thieves would have been unable to decipher the information on the laptops.
Wireless computing is a particularly risky area, whether used in or away from the office. Without proper protection, using wireless is like broadcasting in open air for anyone to see. The original wireless security standard, WEP, is flawed and unreliable. The world record for cracking WEP, set in April 2007, currently stands at 3 seconds. WEP’s vulnerability was demonstrated by recent problems at TJX, the parent company of TK Maxx, where the biggest loss of credit card data in history took place. Hackers stole 45 million customer records from the TK Maxx parent company, by breaking into the company’s wireless LAN. WEP had been used to secure the wireless network but WEP is one of the weakest ways of securing wireless and it didn’t stand up to the attack. If the customer records had been securely encrypted, the customer data would have been safeguarded.