An accident waiting to happen
Jon Fielding discusses the need to manage information security at the data level and not simply at the network perimeter.
Jon Fielding, managing director, Apricorn
Today's employees increasingly demand flexibility in their working environment and expect to connect and communicate with the mothership irrespective of their location or device they use. This creates a delicate balance for the business as it tries to accommodate its staff whilst maintaining control of corporate information and access to it. As the workforce becomes more mobile, the threat to intellectual property has soared as the data is now outside of the business's traditional, perimeter-based defences.
Those traditional security defences are no longer enough to secure data on the move and, whilst most businesses recognise this and the need for data encryption, unsecured devices are still in use and are regularly lost or stolen, putting sensitive data at risk. More than 25 percent of all “breach events” in the first half of 2016 were due to the loss or theft of various devices and removable media; and that is just within the financial services sector, according to a report by Bitglass.
Whilst there are numerous attacks intent on bringing down infrastructure and intentionally targeting intellectual property, one of the biggest threats to businesses still remains the theft, loss and misuse of sensitive information on mobile devices.
Data breaches continue to make the headlines with news of lost or stolen devices a regular occurrence. The ownership of data is often at issue, with employees unaware of their role and responsibility in protecting the bits and bytes they work with. Employees require adequate education and necessary policies should be created and enforced to avoid putting company data at risk, particularly when the data is taken beyond the network perimeter. For example, corporations should select their encrypted USB drive of choice and ensure that only those approved devices be used through implementation of a USB whitelisting policy.
Once confidential data is deliberately or unwittingly leaked, it not only causes irreparable reputational damage, but it can also be a costly experience, made more so by the threat of hefty fines from the Information Commissioner's Office (ICO) or even heftier ones that will be in play with the imminent adoption of General Data Protection Regulation (GDPR), which will be implemented in May 2018.
Under the new set of GDPR rules, EU citizens will have much more control over their personal data. Organisations must seek explicit consent from consumers for data collection and provide details on what information is collected and how it is used, processed and stored. Users can demand the full deletion of all their details and can also request that their data be provided to them in a portable format for transfer between data processing entities.
The onus of GDPR on businesses is significant. They must have systems and processes in place to comply with citizens' rights and many will need to appoint a data protection officer. Non-compliance can come at a huge cost with fines up to €20 million or four percent of a company's annual global revenue.
Organisations should analyse the data they collect today and remove anything identified as unnecessary. They will also need to document exactly how data is processed, stored, retrieved and deleted through its lifecycle to pinpoint where data may be unprotected and/or at risk. This thorough analysis will then enable them to identify technologies, policies and processes that can remedy any shortcomings.
Businesses ought to specifically think about how data is protected outside of their central systems, both on the move and at rest. If data is being transferred outside of the company or between systems, they need to research, identify and mandate a corporate-standard encrypted, mobile storage device and ensure its use is enforced company-wide through policies – such as locking down USB ports so they can accept only approved devices. The IT department should be able to pre-configure those devices to comply with their security policy, such as password strength, to facilitate fast rollout to a large number of users.
The combination of employee education, data encryption, policy definition and enforcement, which includes the deployment of corporate approved devices, can all help reduce the risk inherent in a remote and mobile work force whilst addressing an important consideration in a move towards GDPR compliance.
Contributed by Jon Fielding, managing director, Apricorn