Keith Ricketts, Marketing Director at Becrypt talks us through the complexities of accessing and sharing data, and explains how no matter how strong the encryption in use is, it is policies, procedures and staff behaviour that ensure a secure system.
As organisations embrace the 24/7 culture, with the sun never setting on global markets, staff are under pressure to cram ever more into their working day. Technology has been a great enabler, with people now working from any location, office, home and while on the move using a variety of different devices including PCs, laptops, tablets and smartphones. Often staff now expect to have all their different devices synchronised so that they can access their documents from any of their devices in any location. While all this is great for employees that want more flexible working arrangements, it is not so good for the Security Officer, who is tasked with safeguarding sensitive data, whether it be intellectual property, commercially competitive information or client data.
Becrypt recently achieved EU Certification for its DISK encryption products, the first company to do so. This means that organisations wishing to handle EU restricted data can now do so using Becrypt’s DISK Protect. Until this time there was no easy way for government’s across Europe to share data. Organisations in the commercial world face similar issues. Not only do they need to keep data safe within the organisation, and with the advent of mobile and home working, this in itself is a lot more complex than it used to be, organisations also need to be sure that when data is shared with trusted third parties, that the data continues to remain secure.
While the use of encryption and other cyber security products have an important part to play, it is how they are deployed and the policy framework around them that will ensure a robustly secure system. Modern encryption algorithms are extremely strong and typically are not directly targeted. For this reason, cyber criminals, fraudsters and even disgruntled employees, will simply target a weak point in the system, which is often the end point.
It is vital to have strong data security policies and procedures which are communicated clearly to all employees. Equally important is to consider where your data is. As organisations take advantage of cloud computing, mobile/remote working, and bring your own device (BYOD) trends, knowing where your data is, is no longer straight forward and therefore protecting it is that much more complex.
Before any data security solution is implemented it is important do know what you are trying to achieve. First you must decide policy, who has access to what data, and what can be shared with outside organisations. You need to strike a balance between keeping data confidential, protecting its integrity (ensuring that it hasn’t been tampered with) and providing accessibility.
Organisations need to think about where their data is actually stored, and particularly if using Cloud technology, where it may end up. Additionally there could be data protection issues when data crosses national borders. As well as encrypting data while in transit in the cloud, should it also be encrypted while at rest in the cloud? Could an ex-employee access that data? There needs to be processes in place to ensure that this can’t happen.
While there is much written about hacking, denial of service and other sorts of attacks, and they are certainly on the increase, for most organisations it is the threat from within, ie. staff, that is by far the highest risk to corporate data. Whether malicious, thoughtless or just unlucky, it is a fact of life that staff will lose laptops, tablets, smartphones, and therefore the data on them. Staff education and in some cases a complete change in culture and attitudes towards data protection needs to be implemented. Processes must be designed to ensure that policy is maintained, and that staff understand both the policy and why they need to follow it.
Policies should ensure that a balance is maintained between keeping data secure and allowing staff access so that they can do their job. Ideally, people should have access to no more data than they need. It is often the amalgamation of data sets that make them sensitive, for example, the combination of names, addresses and account number information. Each data set on their own is fairly meaningless, but when combined it becomes exponentially more sensitive, and valuable.
Technology can be harnessed to ensure that data security procedures are easy to follow for everyone. Encryption that works in the background on desktop PCs, laptops, tablets and even smartphones is now available. Once they have logged on end users are not even aware of it. Solutions are available to ensure that only authorised USB devices can be used to store data, or indeed that certain data cannot be saved to an external device. There are other remote working solutions that enable staff to connect to the corporate network securely, even using their home PC without any possibility of the network being compromised by malware from the home PC, or any trace of the work session, included data saved, being left on the PC after the session has been completed. Further more, this secure remote working system is carried on a USB stick, so employees don’t even need to carry a laptop, and if it is lost, as the device itself is encrypted, no data can be accessed.
All of these systems can be managed from a central console, meaning that an engineer does not need to visit a computer to install the system, or upgrade software. An audit trail can be produced so organisations are not only complying with legislation such as Sarbannes Oxley, Data Protection and the FSA, they can also prove that they have complied. Should any issues arise, the IT department or the security office can be alerted immediately and rights can be repudiated remotely, if required.
With the consumerisation of IT and staff expecting to be able to use their own devices at work, protecting data is getting more and more complex. However, there are ways to protect sensitive data and avoiding the hefty fines and bad publicity that come with a breach. Harnessing technology, adopting common sense policies and educating staff on the dangers of not treating data with the respect it deserves will go a long way to keeping out the headlines and ensuring that intellectual property, commercial sensitive information and valuable customer data remain protected.