In this article David Tomlinson, managing director for leading data security company, Data Encryption Systems (DES), takes a detailed look at how encryption can safeguard a company's reputation - and at the same time protect against unnecessary fines. Tomlinson's article explains in detail how simple encryption is to use and why it should be as common place in an organisations policies and procedures as installing antivirus software.
Loss of Reputation
In February 2007, the Financial Services Authority fined Nationwide Building Society almost £1m for failing to have effective systems and controls to manage its information security risks. The failings came to light after the theft of an unencrypted laptop from a Nationwide employee‘s home. The ‘crime' was especially heinous when the FSA discovered that Nationwide was not aware that the laptop contained confidential customer information and did not start an investigation until three weeks after the theft.
The Nationwide fine followed close on the heels of the revelation by the TJX Companies group in the US of a massive data breach in which an ‘unauthorised intruder' gained access to its systems over an 18 month period, and made off with nearly 46 million credit and debit card numbers of customers in the US, Canada and the UK. The data loss has so far cost TJX around $17m, not to mention its reputation. It's not unreasonable to suggest that ultimately, it may cost the company its independence as well.
When you consider the fact that The Ponemon Institute's Annual Study on Enterprise Encryption Trends (2008) found that the total average cost of a data breach has increased 28% since 2007, and the cost of lost business due to a data breach now accounts for 53% of data breach costs, as opposed to 36% in 2007, it is a problem no company can afford to ignore. At the heart of these data breaches, and particularly at Nationwide, is companies' - or their staff's - unwillingness or inability to consider using encryption to safeguard their data. The reason has until now been the reasonable complaint that encryption sounds and has been difficult to use.
Making Encryption Fit in with the Way People Work
Usage has arguably never been more vital because there is no such thing as an organisational perimeter any more.
Data has to be taken out of the building, and information has to travel around between mobile workers, business partners etc. How should that data be protected? Well, encryption is the obvious answer, but there are numerous stories of customers struggling - and failing - to use encryption effectively. The word ‘encryption' even sounds daunting!
Its perceived user-unfriendliness and fears of being left high and dry without their data has left users willing to take a risk, preferring to carry their unencrypted laptops with them at all times. Here are just a couple of examples I've come across:
We had engineering staff working over the Christmas break to complete a critical project for a major client. But everything had stopped while we awaited the final system design documents. After two or three hours struggling with the then leading data security product, our customer's head of software development finally uploaded a plain copy to our FTP site and asked us to encrypt it at our end. Faced with missing a project milestone he was forced into taking a risk with extremely sensitive data.
On another occasion, we were due to take delivery of documentation relating to banking security. Although we had signed a series of tightly worded non-disclosure agreements, when we asked how the documents were encrypted, the client's senior executive explained that they were no longer encrypted. She had recently made a transatlantic flight with the same information which was to form part of a critical technical presentation and found that the content couldn't be decrypted. "I know its company policy to encrypt this information," she said, "but I haven't encrypted it because the last time I was at a conference, I couldn't access my presentation. Now, I'm ‘once bitten, twice shy' when it comes to using it again. I didn't encrypt it because it was too important - I was afraid of not being able to decrypt it again."
These two examples sum up the current lack of confidence in encryption. Yet really, using encryption should be as easy as driving a car. You don't need to understand the technology to be able to use it. You just need someone to make the technology usable and make encryption as second nature as firewalls and antivirus.
How do we do that? Well, at the heart of the problems with public acceptance of encryption are training and terminology issues. Suppliers are continually coining new terms that even hard-bitten security analysts find hard to understand, never mind the public. You may recall a Not the Nine O Clock News sketch back in the 90s, which took the Mickey out of the public's lack of knowledge of hi-fi terms such as Dolby, tweeters, decks, gramophones, and amps. It's easy to lose the user's understanding with many forms of technology and encryption must be near the top of the list.
There are also those so-called encryption specialists who say users ‘keep asking the same stupid questions' when they don't understand. This is because the ‘specialists' simply haven't taken the time and trouble to explain things correctly. What we need to do is sensibly ‘dumb down' encryption, and get rid of the terrible terminology, so that users can be confident, and not hesitant, over its usage.
How to Protect Your Data
Some might say the answer to safeguarding data is to encrypt complete hard disks. Indeed, the US government positively encourages the companies it does business with to offer full disk encryption. But is it really that simple? Full disk encryption will allow you to do stupid things with your data: leave your notebook in a taxi, bus or pub. And it will protect your data against the (probably) non-technical thieving-types. This is an important function, as demonstrated by the fact lost or stolen lap-tops represent 28% of the breaches identified in the Ponemon Institute's 2008 study, but it only solves one part (or 28%) of the problem. Analysis of the high profile data breach incidents published over the past couple of years show that most of the information leaked was from CD's and memory sticks.
Most memory sticks within corporate environments are the private property of the user, and CDR and DVDR media is treated as a low cost consumable item. Whilst the loss of a company laptop is virtually impossible to conceal by the user, USB sticks, and other removable media represent an insignificant loss despite the fact that the information contained may be enormously valuable in itself and the damage caused by its exposure can multiply that value many times over.
While full-disk encryption protects data stored on the computer, users must be provided with ‘granular' encryption tools which allow users to layer their encryption accordingly with their security needs.
Granular encryption will allow you to do clever things with your data: encrypt files and folders with different encryption keys, encrypt memory sticks, CDs and all removable data, encrypt email and attachments, make encrypted archives of your work and share all of this information securely with both exclusive and overlapping workgroups.
Taking this approach provides a further benefit, in that where a systems administrator needs hands-on access to a computer to perform a software update, for example; they are past the security provided by full disk encryption and will have access to any information stored on the computer. By selectively protecting confidential data using say, an encrypted folder, the data is protected. The IT staff shouldn't need the highest security clearance, and granular encryption means that they don't.
Should you use full-disk, or granular encryption? The answer is: use both.
Ensuring Encryption Is on the Business Agenda
The reality is that for most companies dealing with government and other large organisations, encryption is a "tick in the box they must have." And it's likely that within 3-5 years, encryption will be as prevalent as firewalls and antivirus, because if you want to be an approved supplier, you'll have to comply with the rules. And that doesn't just mean large firms - it will also affect the smaller organisations who work for those big companies. We are seeing that already happening with the need for companies to comply with the Payment Card Industry's Data Security Standard (PCIDSS) which requires merchants (and their partners) to encrypt certain cardholder information.
Most US states now have laws that require merchants to announce when they have erroneously disclosed personal financial information that was not encrypted. Indeed, Visa and MasterCard can levy fines of up to $500,000 for breaches in which the merchant failed to implement security measures. In my experience, these fines are larger and generally occur more often in situations where the merchant failed to use encryption. So encryption should undoubtedly be on your business's agenda.
It is vital that companies give their staff encryption tools which are designed with the user in mind to ensure that once deployed, staffare able to use the tools available without it hindering their productivity and that the product selected can provide 360 degree protection to all data. After all, as Nationwide and TJX have proved, what price can you put on any loss to your company's reputation?