Although Windows provides some encryption with its Encrypting File System, EFS is difficult to manage and impossible to enforce. Turning it off requires just a couple of mouse clicks, and it doesn’t protect areas of the hard disk such as the swap file or other temporary files. Most importantly, if files are copied from a Windows PC to an MP3 player, floppy disk, mobile phone, ftp site or USB drive they invariably lose their encryption, often without the user being aware that this has happened.
An effective encryption policy, therefore, needs to encompass every device onto which employees might wish to copy files. It also needs to be transparent to users, so that it can be centrally controlled without any user action being required. And it should be impossible to disable, except by authorised administrators. Ideally it should also have the selective ability to block files from being copied to external devices at all, or if the target device doesn’t support the same level of encryption as that which protects the source data.
Your choice of crypto algorithm is also vital. Choose a proprietary encryption system and, if anyone discovers the secret mathematical formula behind it, all of the files that you have every encrypted instantly become public knowledge. Therefore, use a known international standard such as the Advanced Encryption System, or AES, with a key length of at least 256 bits.
What action should be taken?
A management walk-through is a great way to assess the impact of a security breach. Simply sit a group of technical and non-technical managers around a table and discuss a series of “what-if?” scenarios. Such an exercise invariably highlights critical weaknesses in existing strategies which can then be corrected before it’s too late.
For example, walk through the following scenario. A director of your company attended a conference last week, during which his briefcase was snatched from the back seat of his car. The case contained a laptop computer which held a list of the top 10,000 accounts by revenue. The information was not encrypted. This happened on Friday afternoon but it’s now Monday morning and the loss has only just been reported.
Among the topics that you will need to discuss are:
1. How will you ensure that those 10,000 affected companies are discreetly informed about the breach as soon as possible?
2. Who will brief the regulatory authorities and your company’s legal team?
3. What will you tell journalists from the national press and broadcast media, once they get hold of the story and want to hear your version of events?
4. Who is officially responsible for the security of your company’s information, and what will he or she be doing to prevent such an event happening again?
5. Who could make use of the stolen information, and how? Can you put systems in place to help detect instances of this taking place?
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.