Human error continues to be the primary cause of IT security breaches. In fact, the UK Government has faced repeated embarrassments over lost data, with over 270 data breaches being reported over the past year alone. Prime Minister Gordon Brown recently stated that the government cannot promise the safety of personal data entrusted by the public, citing human error as the reason.
Primarily the reason why security processes fail is that individuals are given the option to bypass them. If you take PA Consulting's loss of a memory stick containing personal data on every one of the 84,000 prisoners in England and Wales as an example, a single employee was in breach of its well-established information security processes.
I'm sure he, or she, did not set out to intentionally destroy the reputation PA had built itself for handling sensitive government information securely for over 60 years, or to lose the £1.5m contract, and potentially jeopardise the remaining £8m contracts, yet that's been the result. The salary of the individual involved has not been disclosed but even a lifetime of hard graft for gratis would never repay this deficit. In the individual's defence, although naivety is a fair charge, the fact remains that they were allowed to bypass the encryption software that would have saved PA its blushes.
So who's to blame?
Let's face it, anyone can make a mistake: the person who
leaves a USB drive behind at the
coffee shop, the employee who forgets to lock their computer before going to
lunch, the commuter who, being efficient, uses their smartphone to review
corporate documents on the train and then leaves it behind, the consultant who
places a CD with information on every employee at the company they are working for
in an airline seatback. But it's the cost of the mistake that's the
differential. So rather than pointing the finger of blame, organisations need
to identify the potential risks and employ damage limitation tactics.
IT departments should never leave data security up to the end-user, they don't have the time or the knowledge, and it certainly wouldn't be considered "reasonable and appropriate" (the underlying theme of data security regulation) if the device, and the data contained, was lost or stolen.
Likewise, everyone within an organisation must understand their responsibility for keeping sensitive information secure and how to use the available technology, such as encryption software, to do so. Often if people understand why they need to do something, then they'll do it: the PA Consulting employee learned this lesson the hard way.
So what's to be done?
To ensure data protection in today's dynamic IT environment,
leading analysts recommend that security protects what matters most: the data
and not necessarily the device. Concerned about the damage and liabilities of
lost and stolen data, enterprises are turning to encryption as a backstop to
prevent corporate and customer information from ending up in the wrong hands.
In fact, data security advice from the Information Commissioner's Office is to
encrypt any personal information held electronically if it will cause damage or
distress if it is lost or stolen.
Organisations need an intelligent, multilayered approach to encryption that automatically safeguards data without complicating essential IT and user operations. A data-centric solution simultaneously meets security, IT operations and compliance needs. Encryption can take place whether data is on a desktop, laptop, PDA or USB stick and it's granular, so administrators can set policies to determine which data is protected and against whom. A data-centric solution uniquely protects individual users' data, without interfering with the other operational processes (upgrades, patches, etc) that need to be done, it protects against the internal threat at a lower cost.
Corporate governance requires organisations to not only have security, but be able to prove it is effective. When a device is lost or stolen then the company has to decide if a "breach notification" needs to be issued, along with all the expense and embarrassment that goes with it.
However, if there is a reasonable belief that the data was encrypted - and can be proved - then the affected individuals whose information has been lost do not need to be informed as it is not at risk. By using a solution that includes a central management console, every machine that is protected reports back to say that it has received the latest instruction and confirms that it has been carried out, keeping all the proof centrally.
This is a tool that could have saved the blushes of Atos Origin, another government contractor that lost track of a memory stick containing user names and passwords for its Gateway site, used by people for their tax, benefits and other government services which had to be temporarily suspended while the loss was investigated. The stick was eventually found in the car park of a pub near Atos Origin's offices, and the fact that data on it was encrypted was discovered.
Every day employees are taking advantage of the latest must-have gadget, even using personal devices in addition to company owned technology, to keep in touch while out of the office. Any organisation that not only embraces this trend, but actively encourages it, has a responsibility to empower its employees to do so securely.
Michael Callahan is vice president, global Marketing, at Credant Technologies. For more information visit www.credant.com
