SPECIAL REPORT
Encryption Technology for Enterprise Data Protection
Encryption Implementation: Getting It Right the First Time The Means to an End Where Are We Vulnerable? Connections: Open Doors to the Business Protecting That Vulnerable Data
Published by Global Business Media
ENCRYPTION TECHNOLOGY FOR ENTERPRISE DATA PROTECTION
SPECIAL REPORT
Encryption Technology for Enterprise Data Protection
Contents Foreword 2 John Hancock, Editor
Encryption Implementation: Getting It Right the First Time Encryption Implementation: Getting It Right the First Time The Means to an End Where Are We Vulnerable? Connections: Open Doors to the Business Protecting That Vulnerable Data
Published by Global Business Media
Published by Global Business Media Global Business Media Limited 62 The Street Ashtead Surrey KT21 1AT United Kingdom Switchboard: +44 (0)1737 850 939 Fax: +44 (0)1737 851 952 Email: info@globalbusinessmedia.org Website: www.globalbusinessmedia.org Publisher Kevin Bell Editor John Hancock Business Development Director Marie-Anne Brooks Senior Project Manager Steve Banks Advertising Executives Michael McCarthy Abigail Coombes Production Manager Paul Davies For further information visit: www.globalbusinessmedia.org The opinions and views expressed in the editorial content in this publication are those of the authors alone and do not necessarily represent the views of any organisation with which they may be associated. Material in advertisements and promotional features may be considered to represent the views of the advertisers and promoters. The views and opinions expressed in this publication do not necessarily express the views of the Publishers or the Editor. While every care has been taken in the preparation of this publication, neither the Publishers nor the Editor are responsible for such opinions and views or for any inaccuracies in the articles.
© 2016. The entire contents of this publication are protected by copyright. Full details are available from the Publishers. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical photocopying, recording or otherwise, without the prior permission of the copyright owner.
Sophos Limited
Step One: Time to Start Thinking... Step Two: Audit Do you know where your data lives? Five Key Questions Step Three: Full Disk Encryption Step Four: File Encryption Location-based versus application-aware Multiple-key versus one organization key What to encrypt initially? Step Five: Employee Education Step Six: Choosing the Right Solution Sophos SafeGuard Encryption Summary
The Means to an End
8
John Hancock, Editor
The Need to Know Digital Data Needs Management but Offers Benefits Putting the Data to Work With Information Comes Obligation
Where Are We Vulnerable?
10
Peter Dunwell, Staff Writer
The Vulnerability of Processes The Vulnerability of Storage Threats to Data
Connections: Open Doors to the Business
12
Francis Slade, Correspondent
Email, The Digital Scammer’s Communication of Choice Web Browsing: Opening A Door to the Outside World New Capabilities: New Threats Cost versus Risk
Protecting That Vulnerable Data 14 John Hancock, Editor
A Legal Obligation to Protect Data The Data Protection Act (UK) A Data Protection Policy Conclusion
References 16
WWW.CEOREPORTS.COM | 1
ENCRYPTION TECHNOLOGY FOR ENTERPRISE DATA PROTECTION
Foreword W
HERE WOULD we be without data? From
The second piece considers why data is important
the processor in our car keeping tabs on
to a business and how it can be held, accessed
fuel consumption to the contact list in our mobile
and used. We also explore how the advent of digital
phone holding records of everyone we know;
technology has made data more useful but also more
it’s all data. And the conduct of business and
vulnerable. So, it’s appropriate that Peter Dunwell’s
processes for any organization rely increasingly
article reviews where organizations are vulnerable
on data. But, before data can be used, it has to
with respect to data protection. He explains how
be acquired and stored, and often the data is that
knowing the weak points is a good first step in
of other parties, customers, employees, other
that process. Francis Slade then reviews the other
businesses in the supply chain. That data which
side of connectivity; how systems connect to the
places a great obligation on businesses with a body
outside world and how that can make them vulnerable.
of law and regulation devoted to data management.
Finally, we take a broad view of how to avoid risk
Its protection is not something that can be taken
and mitigate threat: a strong data policy that covers
lightly or operated as a side-line or afterthought to
not only the technology but also the people in the
the main work. Data protection is as important as
business, usually the first line of defense and, if not
any other discipline in the business.
properly trained, of weakness.
The opening article in this Special Report, from
Data is an area of growing importance which
Sophos Limited, looks in particular, at encryption and
means that data protection is also an area in which
describes why it is so important in today’s world. The
businesses must continue to invest resources, time
article provides a step by step guide to implementing
and effort.
an encryption strategy for securing data, that is manageable, free of complexity and limits impact on user productivity.
John Hancock Editor
John Hancock has produced articles and reports on various aspects of global business over the past 15 years. He has also worked as a copywriter for some of the largest corporations in the world, including ING, KPMG and the World Wildlife Fund.
2 | WWW.CEOREPORTS.COM
ENCRYPTION TECHNOLOGY FOR ENTERPRISE DATA PROTECTION
Encryption Implementation: Getting It Right the First Time Sophos Limited A Practical Guide to Developing the Right Encryption Strategy
Y
OU’VE GONE back and forth on encryption, its benefits and challenges, and you’ve made the decision: to keep your data truly safe, your organization needs encryption. So what now? You’ve got options available, but what is the best, safest way to implement encryption without disrupting your users’ workflow and effectiveness? Encryption is necessary in today’s world. Government and industry mandates demand it, and organizations that don’t comply risk financial ruin from the large fines that data breaches can attract. Protecting your data is not only an obligation to your customers, affiliates, and employees, it can be a competitive advantage in your industry. But even veteran security professionals are daunted. Encryption is perceived as an onerous task, complex enough to impact work flow and further complicated by use of mobile devices and the cloud. This guide will walk through designing an encryption implementation strategy that will secure your organization’s data in a way that is manageable, keeps complexity to a minimum, and limits impact on user productivity. Let’s begin with the big picture.
Step One: Time to Start Thinking... Let’s face it, every company is different. The data protection requirements of a small delivery company will be significantly different from a large multi-national organization. But everyone is at risk of a data breach. Data has value. Credit card details, medical histories, financial reports... It all can (and will) be stolen and sold. That’s the “why.” But “how?” Data thieves have options: hacking, targeted attacks and malware, for example. But the biggest risk for data breaches? Human error. Nobody’s perfect. It’s human
error that tends to be the weakest link in any security policy. We are all human, and we all make mistakes. Who hasn’t accidentally emailed an attachment to the wrong person, or left a phone or device behind at airport security? Phishing scams are successful at stealing someone’s credentials because we’re not fully alert all of the time — we can’t be. And once a hacker has your credentials, they can do a lot with them. Human error happens. Unfortunately, these small slip ups can lead to data breaches. So: you know it’s time to look into a solution for these risk and challenges. Where do you begin?
Step Two: Audit
Encryption is perceived as an onerous task, complex enough to impact work flow and further complicated by use of mobile devices and the cloud
Do you know where your data lives? In most companies, big or small, the answer is: everywhere, really. On your employee’s laptop/ desktop, and increasingly on their smartphone or tablet as well. Employees are collaborating, both internally and externally, using cloudbased solutions like Dropbox and Box. Your employees like the ability to access data from everywhere, so that means that your data flows everywhere – to every device that they use. And this is before we even consider the data that resides on your company servers, in-house, or your cloud datacenters. When you’re planning your encryption strategy, look everywhere and consider how encryption will impact how your data is stored, accessed and shared across all of these formats, devices and platforms. This is a good time to look at internal or regulatory requirements, including the General Data Protection Regulation (GDPR) which applies to any company that holds information about European Union citizens. What about when the unthinkable happens? What do you do if you discover a data breach, or unencrypted data leaves your organization WWW.CEOREPORTS.COM | 3
ENCRYPTION TECHNOLOGY FOR ENTERPRISE DATA PROTECTION
IT administrators can quickly get bogged down with too many group keys, so use them sparingly
en-masse? You’ll need a solution that quickly not only finds the culprit, but also exactly what data has escaped. Five Key Questions Overwhelmed? It’s understandable. Some consultants recommend work flow reorganization and multifaceted implementation plans before adopting encryption, but there are ways to implement it without forcing additional or unnecessary changes to your users’ workflow. Start by asking these five key questions about how your organization handles data: 1. H ow does data flow into an organization? (Is it created internally?) 2. How does data move out of an organization? 3. Where is it stored? 4. Who has access to the data? 5. H ow do employees use data in their day-today jobs? a. W hat applications do they use to create or change content? 4 | WWW.CEOREPORTS.COM
b. B ut just as important, on what devices do they create or change content? Organizations also have a responsibility to understand who has access to what data and why, and whether or not they can and should limit access to sensitive information. One key example: IT needs access to HR’s network share in order to protect the flow of that information and make sure it remains both operational and secure. But should IT be able to see the actual contents of HR’s files, such as salaries and job performance documentation? There are ways to allow for two levels of access (which we’ll discuss later on). Did you know that more than 72% of IT administrators don’t know the number of shadow IT applications their employees run (Cloud Security Alliance, 2015). It’s an alarming statistic, but employees don’t have to give up their preferred cloud-based solutions if the appropriate encryption is in place. The audit doesn’t need to be complicated. The table below provides a good jumping off point
ENCRYPTION TECHNOLOGY FOR ENTERPRISE DATA PROTECTION
DATA ENCRYPTION
for auditing the flow of data in your organization. Also think about other types of sensitive data that is specific to your organization and add that to the list.
Step Three: Full Disk Encryption Start with the basics: what happens if your device is lost or stolen? Full disk encryption, sometimes called device encryption, is particularly relevant with the increasing use of mobile devices for business. Most devices come with some sort of built-in protection in the operating system (Microsoft BitLocker in Windows and FileVault 2 in Mac OS X). But most businesses have some mixture of the two operating systems, four if you include iOS and Android for mobile and tablet devices. You’ll want a cross-platform solution that lets you centrally manage keys and recovery functions across platforms, while at the same time offers strong protection and access control of your encryption keys. Full disk encryption is important, but it’s also limited in scope – it only protects the device in the case of loss or theft. More important is what it doesn’t do: full disk encryption does nothing in terms of data security for a running device, and does not protect against targeted attacks, hacking, data stealing malware, other human error scenarios or other threats. Why is this important? Data loss is a different problem than it was in the past. Research shows the most common cause of data breaches is hacking and malware, followed by human error. This is why we urge companies to simultaneously implement file encryption to run alongside full disk encryption.
Step Four: File Encryption There’s a temptation when setting up your file encryption process to overcomplicate things, picking and choosing what data is encrypted and how, and who can access what information. Some will argue that you should only protect what is important. But that is a part of the problem: if you only protect what is important, you have to identify what qualifies as important. And what happens when your rules for making that determination fail and leave you exposed to a data breach? We recommend beginning the process by encrypting by default. Assume all data created by your employees has value and it’s safest – and easiest – to protect everything. The trick here is to choose an encryption option that is transparent to the employee’s daily workflow. Transparent here means that, in the majority of cases it doesn’t require a change in your users’ processes. It also means that they can access encrypted content on all the devices they use to perform their job. Encryption, after all, works best when users don’t realize it’s there. HTTPS is a great example of encryption providing protection with very little to no end user knowledge. Millions of users don’t realize that their browser has swapped from HTTP to HTTPS to protect their order or transaction – it simply works. When looking to use file encryption, there are a few important choices to make at the beginning: •L ocation-based encryption vs. applicationaware encryption •K ey management: multiple-key vs. one organization key • What to encrypt initially
Organizations also have a responsibility to understand who has access to what data and why, and whether or not they can and should limit access to sensitive information
WWW.CEOREPORTS.COM | 5
ENCRYPTION TECHNOLOGY FOR ENTERPRISE DATA PROTECTION
Don’t forget to keep compliance in mind when developing your policy so you can stay the right side of data protection laws and regulations
Location-based versus application-aware Location-based encryption, often called file and folder encryption, is based on which folders your end users are likely to store important documents in. The challenge with locationbased encryption is that it: 1. r equires your users to strictly adhere to structured corporate procedures, 2. t o know and be able to identify what is important, and 3. w here they should store these files in order for them to be encrypted. This opens you up significantly to human error. It requires a lot of employee education and compliance. Inevitably, users will fail to follow proper guidelines or procedures, and sensitive documents will end up unprotected. In contrast, application-aware encryption— also known as “always-on encryption”—lets administrators define a list of trusted applications employees use to create materials. Only these applications have access to the key(s) needed to create, encrypt and access encrypted content. Wherever the trusted applications save a file, it will be encrypted. Location becomes irrelevant at that point, solving the pain point of locationbased encryption. Ideally the user never notices this process—the files are encrypted, but because they’re using the trusted application, files open and close without an issue. Application-aware encryption provides less chance of a user making an innocent mistake and accidentally leaving data exposed. Multiple-key versus one organization key Key management can be one of the most complex parts of managing any encryption solution. Fortunately, the level of complexity is fully in your control. Again, we recommend beginning simple and adding complexity as needed. By starting with one shared organization key, you begin your encryption process transparently. Internal collaboration is easy, and external collaboration can be easily controlled. From there, though, there are definitely reasons you might want to assign special keys (or group keys) to select groups. Industry regulations mandate access control based on users’ roles and responsibilities, such as Finance or HR departments, which have access to confidential, organizational and personal information. A good analogy is ensuring everyone has access to your house, but limiting access to the family safe. IT administrators can quickly get bogged down with too many group keys, so use them sparingly. Remember, if you start with “always-on encryption” and one organization key, you can revisit the model and add layers later.
6 | WWW.CEOREPORTS.COM
What to encrypt initially? As noted earlier, the simplest approach is a “day forward” approach, that is, each time an employee creates or modifies an existing document it will be automatically encrypted. For many organizations, there’s no real need to go back and encrypt older documents. If a user updates an older document, the new version will be automatically encrypted. The right encryption solution will, however, give you the tools you need to encrypt older files and documents if you choose, such as encrypting all existing files by extension (.doc, .xls, etc.).
Step Five: Employee Education Using an “always-on” approach to encryption will simplify encryption on the end user’s behalf, but employees will still need to be educated on your encryption process, the importance of data security, and their role in protecting your sensitive information. In particular, you’ll want to make sure they understand their obligations and expectations to handling personal and company data. They should also understand exceptions to your encryption policies – specifically, when dealing with external contacts. Encrypting by default means external contacts won’t be able to view documents created by your users without decrypting them first. The right solution, however, will make decryption easy. If a document – be it a marketing brochure, a whitepaper, or a press release – is determined to be public information, the user should be able to decrypt it with a one-click process. This is a conscious action on the user’s part, and it is a logged event that leaves an audit trail for the IT administrator. There’s another layer of protection you’ll want to consider: sharing confidential data with an external party in a secure manner that is still accessible to them. This generally means a password-protected file. You’ll want to have the option to create password-protected files to share with external contacts. Not only does this protect your data, it also tells those external parties that you take security seriously.
Step Six: Choosing the Right Solution There are several encryption programs on the market, so evaluate closely what you need from before signing on – not just your needs today, but for the future as well. Things to consider: •D oes the solution work cross-platform and on multiple devices such as Windows, Mac OS X, iOS, and Android?
ENCRYPTION TECHNOLOGY FOR ENTERPRISE DATA PROTECTION
SYNCHRONIZED ENCRYPTION FROM SOPHOS INTELLIGENTLY SECURES YOUR DATA
•D oes the software have centralized management and control? •D oes it allow for “application-aware” and “always-on” encryption? •W here does the solution protect data – in the cloud, on-premise and on all devices? •H ow complicated is it to share encrypted content with external users? •W hat impact will it have on users’ behavior and work flow? •D oes it provide you with strong key management? •W hat is its backup and recovery mechanism for encryption keys to prevent you from losing access to encrypted information?
Sophos SafeGuard Encryption Sophos SafeGuard is an award-winning, next-gen encryption solution. It provides always-on, synchronized encryption that intelligently secures your data, protecting it against theft and rendering it unusable in
the wrong hands. It’s transparent by design, fitting seamlessly with your existing workflows to support and enable your organization. And it makes it easy to comply with data protection regulations.
Summary Once the decision is made to find an encryption solution, the real work begins. You need to find a solution that meets your security needs without intruding on your users’ work flow. You’ll want to audit and understand how your data is created and managed and choose a solution that protects your users’ devices as well as your files and data from malicious attacks and malware. But start simply, by encrypting by default and using one organization key at the beginning – you can add layers of complexity later. And don’t forget to keep compliance in mind when developing your policy so you can stay the right side of data protection laws and regulations.
Location-based encryption, often called file and folder encryption, is based on which folders your end users are likely to store important documents in
WWW.CEOREPORTS.COM | 7
ENCRYPTION TECHNOLOGY FOR ENTERPRISE DATA PROTECTION
The Means to an End John Hancock, Editor Data is the foundation on which modern businesses are built
B
A good data capture strategy will deliver high quality customer data, allowing you to better understand your customers and enhance your relationship with them
USINESSES HAVE always needed data to know how much they’ve bought, how much they’ve sold, what expenses have been incurred, who are their suppliers, who are their customers… you get the picture. Once, all that data was kept in paper journals, account books and files in filing cabinets; it would have been difficult to steal in any quantity and, with the most sensitive information, could be kept in a safe. However, nothing stays the same for ever and, in recent times, the form, methods of storage and methods of access for data have dramatically changed with the digital business revolution. That in turn has driven new functionalities and capabilities of what information can be gleaned from data. And those factors: paperless form, virtual storage, fast access from anywhere and powerful analytics to leverage maximum information have made data-related crime easier and more attractive. That’s the theme of this paper but first it will be useful to consider why business needs data.
The Need to Know Data has become central to everybody’s workday in a sense that was never the case before. In her Houston Chronicle article ‘The Role of Data in Business’1, Lynne MacDonald highlights a reality that will be familiar to any manager today, “Companies process, collect and report on large volumes of data… [and] the average manager spends two hours per day hunting for data.” But then, data is a critical component in the modern business mix. Lynne MacDonald again, “the average company could increase annual sales per employee by 14.4 percent if it increased the usability of its data by 10 percent… Investment in effective and efficient methods of transforming data into usable BI [Business Intelligence] will pay dividends.” Data itself is just numbers until somebody applies some analysis to it and compares or matches it to other data. Then data becomes information and that really is valuable. The fact that there were ten sales this week tells us very little unless we know how many sales there 8 | WWW.CEOREPORTS.COM
usually are in a week. If the norm is seven, that’s good but if the norm is fifteen, that’s bad. The comparison is information; a greatly oversimplified example of the difference between data and information. Businesses today need data more than ever in order to generate information in a host of areas from legal compliance to marketing results and trends to customer relationship building, supplier management, financial performance… wherever a business can benefit from knowing its current position against where it has come from, where it plans/needs to be and, if possible, where its competitors stand, data will be valuable. Or, as Jack Torrance put it in Management Today, ‘Why small businesses need to think big about data’2, “There’s no point in putting time, effort and cash into data if you don’t use it to improve the way your business works.”
Digital Data Needs Management but Offers Benefits The phenomenon of digital data has spawned a business discipline in itself. “The vast volumes of digital data that are generated challenge some of the key questions that lie at the heart of records management: what needs to be kept, for how long and how to protect it?”3 That is how Prof Julie McLeod at Northumbria University describes the need for good data management which, of course, includes considerations of security. As well as the issues of the data that is stored, storage methods need also to be considered. Whereas paper and ways to store it remained pretty much unchanged for millennia, storage of digital records has changed frequently over a few decades. From microfilms to 3.5” floppy discs to PDF and XML, and with a host of formats in between, there can be issues with data stored on outdated media. But that said, the benefits of digital information and records management far outweigh the challenges. The National Archives of Australia sums up those benefits4: • I mproved business processes through faster access to and retrieval of information.
ENCRYPTION TECHNOLOGY FOR ENTERPRISE DATA PROTECTION
•B etter-informed decision-making through quicker access to all of the right information. •B etter service delivery because relevant information can be located easily. •L ess staff time spent looking for information. There are fewer information silos. •M ore information sharing across the agency and between agencies, and potential for re-use of information by government and the Australian community. •L ower compliance costs and enhanced ability to provide accurate, timely and transparent responses to legislative and regulatory requirements. •M itigation of business and reputational risk and improved business continuity. •C ost savings from less creation, storage, retrieval and handling of paper records.
Putting the Data to Work Data can help a business in many aspects of its operations including leveraging relationships with customers. Understanding the customer is nothing new. The landlord of your local pub would have known your name, what you drink, what are your interests… all of this could be used to create a friendly sense of importance for the customer. Today, the principle is the same though the practice is more complex. Jonathan Woodrow in Digital Marketing Magazine 5 explained: “A good data capture strategy will deliver high quality customer data, allowing you to better understand your customers and enhance your relationship with them.” And that understanding is important. Daniel Fallmann, CEO, Mindbreeze says6, “it’s more critical than ever before to have a comprehensive view of the customer. The modern consumer has unlimited access to digital information right at his or her
fingertips and makes purchase decisions more confidently and from a more mature and informed place than their parents and grandparents, who viewed lifelong customer loyalty as a central pillar. Add to that the breath-taking speed at which trends and preferences – and thus markets – are changing, and it’s clear that keeping a finger on the consumer pulse is imperative.” He adds, “there’s more information available than ever before to gain insight into the minds of customers and thus to help companies understand what drives purchase options and to react quickly to changes or new trends.” But, of course, it’s all data which has to be gathered, stored and protected.
The average company could increase annual sales per employee by 14.4 percent if it increased the usability of its data by 10 percent
With Information Comes Obligation The more of other people’s information and data that a business gathers, the greater the obligation to keep the data on which that information is based, safe. But savvy businesses realize that in that there is a further marketing opportunity, to turn the necessity of security into a customer relationship plus. The UK Information Commissioner’s Office7 confirms: “If you hold and process information about your clients, employees or suppliers, you are legally obliged to protect that information.” But continues with a checklist8 of which it says, “Adopting the following good practice points will give you a competitive advantage because people will trust you with their information and will be more willing to provide the information you need to run your business successfully.” Data is a valuable component in modern business but with that value come obligations, including ensuring that data is held responsibly and securely. WWW.CEOREPORTS.COM | 9
ENCRYPTION TECHNOLOGY FOR ENTERPRISE DATA PROTECTION
Where Are We Vulnerable? Peter Dunwell, Staff Writer Where do we need to place our defenses for the most effective protection?
A
The first step is to identify where you might be vulnerable; where data is stored, used or shared
S JOHN Hancock explained in the previous article, at the same time that digital technology has made data easier to collect, store and use, it’s also made it more vulnerable, giving rise to a new digital business discipline – data security. We’re familiar with normal security and the equipment and processes to counter real world threats. But the vulnerabilities with which this paper is concerned are virtual. However, one security constant is that the first step is to identify where you might be vulnerable; where data is stored, used or shared.
The Vulnerability of Processes Automation Digital technology can offer enormous benefits but not everybody sees them as unalloyed gains. In his Blue Yonder blog, ’99 percent of all business processes can be automated’9, Uwe Weiss acknowledges that, “not everyone views automation as a great opportunity. Concerns have arisen… [including] data being misused and the complete loss of control of the technology. [However] digitalization should not be viewed as a danger, but as a new opportunity.” The challenge is to manage digital technology and data properly so that the risks are avoided and the benefits realized. There’s no doubt that automation brings challenges. The McKinsey & Company paper ‘Accelerating the digitization of business processes’ 10 explains that, “[businesses] should go beyond simply automating an existing process. They must reinvent the entire business process, including cutting the number of steps required, reducing the number of documents, developing automated decision making, and dealing with regulatory and fraud issues.” (author’s italics). Business Intelligence If automation is a potential vulnerability, business intelligence (BI) is even more so. Computer Weekly, ‘Trends in big data search and analytics:
10 | WWW.CEOREPORTS.COM
Business Intelligence in the age of digital transformation’11 explains, “… the concept of BI arose at a time in which the amount of data was manageable and conveniently located in databases over which… the IT department had exclusive control…” That ‘exclusive control’ made security an easier task but, as the article continues, “What is needed today are systems that can be handled by the relevant business departments and which also have the ability to integrate a variety of data sources, both structured or unstructured, in their analysis.” It sounds sensible to let more people share the data and information but, as readers will know, the more people that have access to data, the more chance there is of accidental or malicious security breaches. Data sharing, though, is the way things are going and sensible organizations will embrace that. Tableau’s Business Intelligence survey ‘Top 10 Trends for 2016’12 put ‘Governance and self-service analytics’ as the number one BI trend for 2016. “Organizations have learned that data governance, when done right, can help nurture a culture of analytics and meet the needs of the business. People are more likely to dig into their data when they have centralized, clean, and fast data sources, and when they know that someone (IT) is looking out for security and performance.” (author’s italics). A process vulnerability occurs where there is no accompanying strategy and policy, including one that addresses security.
The Vulnerability of Storage Data isn’t only vulnerable when it’s being used; it’s also vulnerable when being stored. Computer World, ‘Top 10 ways to secure your stored data’13, explained in 2006, but it’s as relevant today, “Securing stored data involves preventing unauthorized people from accessing it as well as preventing accidental or intentional destruction, infection or corruption of information. While data encryption is a popular topic, it is just one of many techniques and technologies that can be used to implement a tiered data-security strategy.”
ENCRYPTION TECHNOLOGY FOR ENTERPRISE DATA PROTECTION
Threats to Data Data is vulnerable to both internal and external threats. But there is a large area of overlap between these different threats. Internal threats “…almost 40 percent of IT security breaches are perpetrated by people inside the company. Criminal attacks are particularly likely to happen from the inside: one recent study estimated that 90 percent of criminal computer crimes were committed by employees of the company attacked. Smaller businesses are uniquely vulnerable to IT security breaches because they may lack the more sophisticated intrusion detection and monitoring systems used by large enterprises…” That was the overview from Sally Whittle writing in ZD Net 14 . Internal threats can be as the result of error, carelessness, poor procedures (all of which can be addressed by training) or malice. In the case of malicious data security breaches, similar processes to those applied in combatting external threats can be applied. External Threats It probably goes without saying that external threats are mainly motivated by malice and the
one with which most readers will be familiar is hacking - digital burglary. “Hacks, and applicationspecific hacks in particular, have become even smarter.” says Mark Vernon in Computer Weekly15. But the most frequent attacks involve attempts to insert viruses, worms or Trojans into a computer by sending an email that either contains the threat as an attached file or invites the recipient to ‘click’ for information and open a door for the threat to come in. Malware that uses the host computer for nefarious purposes can arrive in similar fashion. As well as protective anti-virus, anti-malware software, good policy and procedures with data and IT plus training and supervision will help bolster defenses against these threats. Another common threat is phishing – using an email to try and dupe the recipient into passing over data that the criminal can use to target the business by stealing commercially confidential information or, more likely, by gaining access to money. There are even blended attacks that use a combination of the above to gain information. Whatever the source of vulnerability, the business needs to ensure that its data is protected against being stolen and, if that fails, against being of any use to the thief.
The more people that have access to data, the more chance there is of accidental or malicious security breaches
WWW.CEOREPORTS.COM | 11
ENCRYPTION TECHNOLOGY FOR ENTERPRISE DATA PROTECTION
Connections: Open Doors to the Business Francis Slade, Correspondent
T
Emails, web browsing, storing and accessing files, using the Cloud… everything these days is integrated and connected so it isn’t as if we can close and lock the filing room door to protect our data. We’ll need to do more than that
HIS ARTICLE will look at the risks associated with our actions, the systems and the hardware we use. Any time that we open a link between our system data store and the outside world, there’s a risk against which there ought to be protection. When, in today’s commercial environment, do we not have links to the wider digital world? Emails, web browsing, storing and accessing files, using the Cloud… everything these days is integrated and connected so it isn’t as if we can close and lock the filing room door to protect our data. We’ll need to do more than that.
Email, The Digital Scammer’s Communication of Choice As far as emails are concerned, I couldn’t put it better than Kevin Stine and Matthew Scholl writing for Ahima16 – “E-mail messages are generally sent over untrusted networks - external networks that are outside the organization’s security boundary. When these messages lack appropriate security safeguards, they are like postcards that can be read, copied, and modified at any point along these paths.” There are many digital criminals for whom the email is their virtual jemmy, helping them to gain access to your business data by getting into the system and then using software and skill to ‘pick the locks’ on those places where you store your important data.
Web Browsing: Opening A Door to the Outside World Web browsing is another common action that can expose the business and its data to threats of theft or corruption. Leave aside the risk of your computer becoming part of a botnet where criminals create a network of other people’s computers from which to launch their own IT threats – often ‘denial of service’ attacks on large corporations. Every time someone in the business opens the access to a website, a small link will be created and, most likely, the website will insert a cookie in the recipient’s computer for the website owner’s marketing purposes. However, not all cookies are benign marketing tools, some are 12 | WWW.CEOREPORTS.COM
designed to infiltrate a Trojan into your system, and even those that are benign will still disrupt the operation of your system in pursuit of their own purposes.
New Capabilities: New Threats As the digital world expands its reach and the choice of ways in which we can leverage its powers, it also creates new access points through which threats can enter the system.
The Cloud A lot has been written about the Cloud and its capabilities but there are clouds and clouds. Sara Angeles writing in Business News Daily17, quotes David Lavenda of Harmon.ie, “Workers around the world are putting themselves and their employers at risk by indiscriminately using unauthorized file sharing services on their mobile and desktop devices… Employees need to demand Dropbox-like solutions for enterprise tools, bringing the productivity of Dropbox into the secure world of enterprise–sanctioned resources. Employees need to work with IT to adopt a consumer-grade experience with enterprise-grade security.”
Mobile devices The advent of the smartphone and the tablet has bought two very capable mobile devices into the world of work and business where operations have to be carried out away from the office at the workpiece (e.g. aircraft maintenance). But mobile devices, especially BYOD (bring your own device) have significant potential to be vulnerable to attack. As Business Zone18 confirms, “it’s not just the data held on your device that’s susceptible. Devices act as bridgeheads to corporate systems and cloud applications. In the wrong hands, mobile devices can become an open door to critical back-office systems and information.”
Wireless networks It’s very convenient to connect things wirelessly and this method offers a host of advantages of cost, flexibility and choice of connections. But
ENCRYPTION TECHNOLOGY FOR ENTERPRISE DATA PROTECTION
wireless networks are vulnerable if not properly managed. “Because wireless communication is broadcast over radio waves, eavesdroppers who merely listen to the wireless transmissions can easily pick up unencrypted messages. Unlike wire-based LANs, the wireless LAN user is not restricted to the physical area of a company or to a single access point.” Is the warning from Cisco.19 UC San Diego20 adds, “[An insertion attack] is based on placing unauthorized devices on the wireless network without going through a security process. Using a laptop or PDA, an attacker tries to connect his wireless client to the base station without any authorization.”
Devices
Remote working
In another industry, Sir Stelios Haji-Ioanno, founder of EasyJet, observed, “If you think safety is expensive, try an accident”. A similar thing might be said of business data protection. It isn’t only the risk to the data that’s involved, it’s the risk to the business’s reputation and the incalculable cost of recovering and compensating those customers, employees and suppliers whose positions might also have been compromised.
More prosaically, ordinary remote working, a growing phenomenon and seen as one of the key benefits of a connected digital world, can expose an organization’s systems and data to outside threats by linking an unsecured device to the network. They are usually the threats already described but companies need to be aware of the risks when considering introducing remote working.
There probably isn’t any such thing as a secure device and, while a company can introduce the most elaborate security to protect the system from attack, it might still be breached, which is why the next article will look, among other things, at means to keep data safe, even if it does fall into the wrong hands. Whether it’s a desk-top PC, lap-top, tablet or mobile phone, any security method deployed needs to be one that will be able to work on all of those devices and the systems on which they operate – not just the company LAN, WAN or other network, but also the carrier’s platform.
Cost versus Risk
Devices act as bridgeheads to corporate systems and cloud applications. In the wrong hands, mobile devices can become an open door to critical back-office systems and information
WWW.CEOREPORTS.COM | 13
ENCRYPTION TECHNOLOGY FOR ENTERPRISE DATA PROTECTION
Protecting That Vulnerable Data John Hancock, Editor Policy cannot be left to chance, there must be a strategy and a business-wide understanding of policy
A Legal Obligation to Protect Data
There will be times when an employer might need to access employee data through, say, monitoring emails. If the company has a poor record on matters of data protection, this will be more difficult to justify
Customers’ data The obligation to protect whatever data a business holds is not only a matter of morality or good business practice. Where a business holds data about other people, the obligation to protect that data becomes a legal requirement. Josh Hall in Simply Business21 summed it up; “The Data Protection Act 1998 sets out the obligations conferred upon organizations that handle personal information. Most businesses hold some personal data, for example about customers or employees. If you do, and this information relates to someone that can be identified, you are referred to in the Act as a ‘data controller’. Data controllers have a series of important responsibilities, and must abide by the eight data protection principles.” He then lists the principles. When things go wrong If a loss of customer data occurs, the legal consequences will be only one of many, some of which companies might regard as worse long-term outcomes. In October 2015, TalkTalk Telecom Group suffered a cyber-attack in which the personal data (including bank details) of 157,000 customers was stolen. As a consequence, the company suffered the loss of up to £80 million from remedial measures and having to suspend marketing activities, plus 101,000 customers left to join rivals. It wasn’t terminal but illustrates the significance of data protection. Yes, TalkTalk survived but who would regard that as a reasonable outcome? As well as the legal obligation, with customers there is also a reputational consideration and a business that looks after its customers’ data will profit from the resulting trust. Employees’ data There are also benefits to be gained from a data protection program as it applies to employees.
14 | WWW.CEOREPORTS.COM
There will be times when an employer might need to access employee data through, say, monitoring emails. If the company has a poor record on matters of data protection, this will be more difficult to justify. Lawyers Taylor Wessing22 suggest, “By having an employee data protection policy, an employer can reduce the risk of claims for failing to comply with these laws and give itself greater flexibility to monitor an employee’s use of email, the internet and other devices where necessary” An organization must protect data it holds but that will often entail an approach on several fronts… starting with making sure that the business complies with the law.
The Data Protection Act (UK) To help those involved with the use and protection of data, the UK Information Commissioner’s Office (ICO) publishes numerous helpful articles and papers including the summary ‘Data protection – looking after the information you hold’23 … “If you hold and process information about your clients, employees or suppliers, you are legally obliged to protect that information. Under the Data Protection Act, you must: •O nly collect information that you need for a specific purpose; • Keep it secure; • Ensure it is relevant and up to date; •O nly hold as much as you need, and only for as long as you need it; and •A llow the subject of the information to see it on request.” There are also strict rules on how information must be handled.
A Data Protection Policy An audit A data protection policy must start with understanding the current position and that means a data audit. An audit is a thorough review of all an organization’s digital presence
ENCRYPTION TECHNOLOGY FOR ENTERPRISE DATA PROTECTION
and activities with a view to identifying everyone who has access, how they get access (often more than one way with mobile or remote workers) and how all of those devices and the system are managed. From there it will be necessary to develop a data protection strategy, including for internal and external activities. Protective software and back-up The first thought will usually be to ensure that the company has the best detection and protection software in place. This can mean a strong firewall to thwart external threats, anti-virus software to identify and quarantine any incoming software (often, but not always, cookies) and anti-malware software (similar to anti-virus but protecting against cookies and worse that seek to use your computer for their own purposes. Even software as simple as a ‘C drive’ cleaner can remove cluttering temporary files and unhelpful cookies – they might not be malicious but will slow down your processor. And, of course, everything should be backed up continuously. A data protection strategy Data is too important for its protection to be left to chance or what policemen used to call ‘copper’s nous’ – an instinctive nose for something being wrong. There has to be a company policy on, not
only the protective software but also the way in which data is held. Processes such as encryption can ensure that data is only readable by those authorized and equipped to do so. Cloud Direct24 explained the importance; “Having a companywide understanding of the importance of data protection means that your workforce will be more aware of the risks of data loss. Without the regular backup of company data, it won’t be long until a key set of files is lost, productivity has to stop and an embarrassed phone call to customers follows.” What this suggests is that it isn’t only technology that forms a strategy; it’s about staff training and supervision to ensure that the policy is understood and adhered to. In fact, the ICO emphasizes the need for training and provides a training checklist25. Training enables an employer to ensure that everybody understands the procedures, the rules and what to do if things go wrong.
It isn’t only technology that forms a strategy; it’s about staff training and supervision to ensure that the policy is understood and adhered to
Conclusion Data is a business asset every bit as much as any other assets and, as much as other assets, it’s vulnerable to theft or compromise. The good news is that there are plenty of ways to protect data from those eventualities and even to protect it if it is stolen.
WWW.CEOREPORTS.COM | 15
ENCRYPTION TECHNOLOGY FOR ENTERPRISE DATA PROTECTION
References: Houston Chronicle, The Role of Data in Business http://smallbusiness.chron.com/role-data-business-20405.html
1
2
Management Today www.managementtoday.co.uk/why-small-businesses-need-think-big-data/article/1349278
3
Northumbria University http://www.managementtoday.co.uk/why-small-businesses-need-think-big-data/article/1349278
4
National Archives of Australia www.naa.gov.au/records-management/digital-transition-policy/benefits-of-digital-information.aspx
5
Digital Marketing Magazine
6
www. digitalmarketingmagazine.co.uk/digital-marketing-data/why-every-business-needs-a-customer-data-capture-strategy/2310 Computer Weekly
www.computerweekly.com/blog/Data-Matters/Trends-in-big-data-search-and-analytics-Business-Intelligence-in-the-age-of-digital-transformation 7
Information Commissioner’s Office www.ico.org.uk/for-organisations/business/
8
Information Commissioner’s Office https://ico.org.uk/media/1586/personal_information_online_small_business_checklist.pdf
9
Blue Yonder Blog www.blue-yonder.com/blog-e/2015/05/22/digital-reality-awaits-today-99-percent-of-all-business-processes-can-be-automated/
10
McKinsey & Company, Accelerating the digitization of business processes
www.mckinsey.com/business-functions/business-technology/our-insights/accelerating-the-digitization-of-business-processes 11
Computer Weekly
www.computerweekly.com/blog/Data-Matters/Trends-in-big-data-search-and-analytics-Business-Intelligence-in-the-age-of-digital-transformation 12
Tableau www.tableau.com/sites/default/files/media/Whitepapers/top10bitrends2016_final_gs_2.pdf?ref=lp&signin=2983dc6c39cc543c503ab829a736d7b7 to download
13
ComputerWorld www.computerworld.com/article/2546352/data-center/top-10-ways-to-secure-your-stored-data.html
14
ZD Net http://www.zdnet.com/article/the-top-five-internal-security-threats/
15
Computer Weekly http://www.computerweekly.com/feature/Top-five-threats
16
Ahima http://bok.ahima.org/doc?oid=99319#.V8reW_krLmE
17
Business News Daily http://www.businessnewsdaily.com/6268-file-sharing-dangers.html
18
Business Zone http://www.businesszone.co.uk/six-mobile-working-security-risks-and-how-to-avoid-them
19
Cisco http://www.ciscopress.com/articles/article.asp?p=177383&seqNum=5
20
University College of San Diego www.math.ucsd.edu/~crypto/Projects/DavidChang/Threats.htm
21
Simply Business http://www.simplybusiness.co.uk/knowledge/articles/2010/04/2010-04-23-data-protection-key-responsibilities-for-small-businesses/
22
Taylor Wessing https://united-kingdom.taylorwessing.com/globaldatahub/article_employee_dp_policies.html
23
Information Commissioner’s Office www.ico.org.uk/for-organisations/business/
24
Cloud Direct www.clouddirect.net/resources/why-data-protection-policies-are-important/
25
Information Commissioner www.ico.org.uk/media/1606/training-checklist.pdf
16 | WWW.CEOREPORTS.COM
CEOs Find Solutions To Their Business Challenges With CEO Reports
For the past decade, CEO Reports has been helping CEOs and their management teams to find new solutions to their commercial, technical and operational challenges. Our Special Reports provide readers with an unparalleled depth of information on specialist subjects, which receive limited coverage in the mainstream business media. Each report is designed to help CEOs to make more effective business decisions, by providing a unique mix of: • Subject specific technical information • Insight and knowledge from internationally recognised key opinion leaders • Independent data and analysis • Unbiased editorial content
subscriptions@globalbusinessmedia.org www.globalbusinessmedia.org