How to avoid becoming a data leak pariah

Every week we hear of another lapse in the corporate custody of customer data, yet the issue remains low on many boardroom agendas, says Alan Calder.

The proliferation of highly portable database devices, such as the BlackBerry and other smartphones, has changed the boundaries of where we store our data. Such devices have effectively eliminated any notion of a fixed-perimeter fortification as a tool for preventing data leaking from organisations. Yet many firms are guilty of not properly defending information assets.

Consider the recent T-Mobile data breach, where personal details of thousands of mobile phone customers were stolen in possibly the largest data breach of its kind in this country, according the Information Commissioner's Office.

Urgent issue
Poor information security should be one of the most urgent issues for boardrooms. Yet clearly, it is not. At the same time, our mobile and remote ways of working, which promote many operating efficiencies, are here to stay.

However, with those benefits issues arise — removable storage media now enable enormous quantities of sensitive data to be transported out of the door, for instance. Such devices are not just great ways to conceal large volumes of information, they are also vulnerable to loss, theft and damage, as well as offering opportunities for various types of electronic attack.

Ten years ago, mobile phone subscribers and operators only had to worry about eavesdropping and fraud. Those problems have been addressed through digital radio technology; the 3G technologies used today make hacking mobiles difficult and expensive.

However, as they have become more powerful, a whole host of new security threats has emerged, leading to a kind of arms race — the industry defends and the cyber criminals enjoy the challenge of breaking down any new fortification.

A growing number of mobile phones can download user applications and content over the air. That facility means they can also download viruses and spyware. Given the complexity of modern mobile operating environments, the same criminal approaches that we have seen used for many years on PCs can now plague handsets.

Unfortunately, new technology is no answer. Data belonging to Sidekick smartphone users was lost following a disruption at a T-Mobile Cloud-based data-services provider, for instance. And any new technology — Windows 7 or the latest iPhone, for instance — all present new security risks as hackers start finding ways to exploit vulnerabilities.

Consequently, getting the security right from the outset is more important than ever in this mobile environment. The good news is that there are practical measures businesses can take to strengthen their porous perimeter and avoid data simply walking out of the door.

Here are three essential areas to focus on:

1. Encrypt and restrict
Steps in successful and sustainable information security programmes include encrypting all personal data on laptops and removable and portable media.

Carrier networks have good encryption of the airlink, but the link between client and enterprise server remains unprotected unless explicitly managed. Always use a VPN connection when dealing with sensitive data and ensure that it is only available to authorised users.

2. Timetable data retention
Other steps include arranging the physical destruction of redundant computer drives, magnetic media and paper records in accordance with a clear data retention timetable.

Best practice here is contained in the ISO 27001 framework, which sets out how to manage data systems securely, while BS 10012 shows how to meet the requirements of the Data Protection Act.

3. Emulate PC security
Be aware that most mobile users take the Macintosh approach: "I've got a Mac. Viruses are aimed at PCs, so the risk is low." But for how much longer?

The sensible data hygiene approach is to emulate security for the PC on the mobile — avoid suspicious websites and downloading anything unauthorised, and use mobile device management capabilities to verify and control the configuration of all such handsets.

By adopting this cautious approach to data security breaches, organisations can enjoy the better operating efficiencies that a mobile way of working patently promotes — without risking becoming next week's whipping boy for data leakage.

Alan Calder is an information security author and chief executive of security and compliance organisation IT Governance, which publishes the Mobile Security pocket guide.