Trust No One
by Nick Lowe - Check Pointís MD for Northern Europe - Tuesday, 11 November 2008.
Itís easy to say what weíre all securing our systems and data against. But isnít easy to say exactly who we need to secure against, nor who presents the biggest threat to our business. Certainly, the largest ever data breach Ė 45 million credit card records stolen from retailer TJX Ė was committed by criminals. But the second largest, last yearís loss of over 25 million child benefit records from Her Majestyís Revenue & Customs in the UK, was caused by an ordinary public-sector employee putting two unencrypted CDs in the post.

This highlights the real problem. Anyone can cause a data breach - whether wittingly or not. As computing becomes pervasive, with data being accessed, worked on, saved and sent from almost any location, itís not just the notional Ďbad guysí we need to protect against: itís ordinary people too.

Because we all make mistakes. We think it will be OK to bend the rules, just this once. And unfortunately, one such incident is all it takes to make a business-threatening data breach. Letís take a closer look at just some of the types of people, and everyday circumstances, that can present this type of security risk.

Can I take that with me?

The overwhelming majority of data leaks reported in the UK over the past year happened because ordinary employees copied data to disks or devices that they shouldnít have. Itís easy to do, and in most cases, is done innocently. But itís the first step towards a breach.

In November 2007, Check Point surveyed 140 IT managers and directors in British public and private sector companies. 73% said their published IT security policy covered data protection issues such as use of USB drives. Less than half the sample had any solutions in place (such as data encryption, or port control) that would actually enforce those policies. Itís no surprise that people will continue copying data. Theyíre just trying to work as efficiently as they can, arenít they? But unless policies are actively enforced by the use of IT solutions, leaks will continue to happen.

Local customs

Last month, the US Department of Homeland Security confirmed what some weary travellers already know: border agents are allowed to search through files on your laptop, Blackberry, smart phone or any other digital device when you enter the country Ė even when there is no Ďreasonable causeí. Officials can keep data or the entire computer, copy what they want and share this data with other agencies. Even if that data is encrypted, are you really going to refuse to give the password? How far will quoting your rights take you? Of course, if the data is not suspicious, guidelines say the copied data should be destroyed. Can you be sure of this? And given the recent track record of Government bodies losing sensitive data, would you want your data in their hands?

Terminal case

Internet kiosks and terminals in departure lounges are a sore temptation for many business travellers. Itís a last chance to check emails before that long flight, or make last-minute changes to an important presentation. After all, itís just making best use of down time. What happens to that sensitive data after the personís finished with the computer? Is the data really permanently wiped from memory? Did they leave a USB stick behind? What are the implications for the companyís security policies if such data is being processed on an unsecured PC? Sometimes, itís a companyís top guns that take the biggest risks with data.


Critical flaw in WiFi routers puts hotels and millions of guests at risk

A critical vulnerability in ANTlabs InnGate devices, a popular Internet gateway for visitor-based networks and commonly installed in hotels and convention centers, has been discovered. The flaw could allow an attacker to monitor or tamper with traffic to and from any hotel WiFi user's connection.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Mar 30th