Commentary - A day doesn’t seem to pass without another garden variety security story to make the news. Let’s face it -- it’s becoming harder to rank the severity of each breach because of the high volume and frequency with which they are reported. The recent BP laptop story is a real wakeup call to corporations and governments everywhere. As organizations look to prevent these sorts of damaging data breaches, a series of best practices has emerged. First, train end users to make sure they understand how to recognize and treat sensitive data. Second, build a robust set of processes associated with the handling of sensitive information, and third, put in place the appropriate technical controls designed to prevent a breach occurring. Together, these steps form a layered security approach to help prevent a major problem, but in so many of the major breaches that hit the headlines, it’s clear that many companies have a long way to go.
In the first case – employees who handle sensitive information must first be trained to simply identify sensitive information. For those of us who live every day in data security, this is a matter of reflex. But most employees who are trying to add a new employee to payroll, sign an agreement with a partner, or working with consumer data are simply trying to do their jobs. Most are blissfully unaware of the risks of mistreating that data. The first order of business is to adequately train employees to identify and handle information sensitive information and, just as importantly, the risks of mishandling it. The fact is that for many organizations security training is simply seen as an irritant, something that can be treated as a check-box item to be dealt with once a year. However, as employees have access to an ever increasing range of devices capable of storing large amounts of data, they become custodians of potentially vast amounts of sensitive information. The kind of awareness and training that was acceptable five years ago is simply not sufficient when it’s possible to carry terabytes of storage around in someone’s briefcase.
The second set of safeguards -- that of good processes -- is often where organizations have the most problems. Good processes should help reinforce existing good habits, and they should also help rectify problems with lax behavior before a breach occurs. However, as businesses become increasingly aggressive in the way they adopt new technologies, and as organizations are driven to be more agile, processes designed to promote secure handling of data rapidly become outdated and irrelevant. What is of greatest concern is that as businesses start to adopt new technologies such as cloud computing, so these already misaligned processes may be discarded entirely -- and that’s a recipe for a disastrous breach. Good processes should prevent unsafe handling of information, but in so many of the breaches we see in the news, it’s clear that whatever processes were in place at the time were simply ignored.
The final area where failures have occurred is in that of the technical controls. Data is moving more quickly and in greater quantities on to more endpoints than ever before. Unfortunately, the controls designed to protect that information have failed, in many cases, to keep pace. So as users make mistakes caused by lack of knowledge or training, and the processes aren’t there to correct those mistakes and prevent a problem so the last line of defense, the technical controls, have been unable to stop a data or breach, or were simply absent entirely. For example, we’re seeing more and more cases of breaches involving removable media devices, in which data is stored temporarily on a flash drive and then the device itself is misplaced. Simple protection, such as enforcing encryption of the data on that device, would have prevented a breach. But that protection is simply not in place -- and the organization is faced with expensive fines, litigation, and very embarrassing and expensive bad publicity. Many companies have shied away from deploying an integrated data security product for fears of business disruption or end user protest. However, new technology has effectively removed much of the tradeoff between usability and security, and it is now easier than ever before to deploy systems that protect desktops, laptops, and especially removable media of all kinds.
Good security should be built around a defense in depth, and that has to start with the people handling the data and the way it’s handled. If those fail, then the organization must have the right technical controls to provide a last line of defense before disaster strikes. Regardless of the official security policy, sensitive corporate data will find its way everywhere, including corporate endpoints like laptops and thumb drives. The truth that is employees will keep losing their devices; the only way organizations can protect their customers, employees, partners, and shareholders is to pursue an integrated data protection strategy. As consumerization brings more smart phones, iPads and other devices into the corporate environment, data risk multiplies and becomes even harder to control. Companies and governments need to make data security a priority and get ahead of this now.
Geoff Webb is product marketing director at Credant Technologies with over 20 years of experience in the tech industry. He is responsible for bringing to market the company’s data and cloud security solutions. Webb holds a combined bachelor of science degree in computer science and prehistoric archaeology from the University of Liverpool.