“That won't happen to us, 'cause it's always been a matter of trust.” This line from Billy Joel's 1986 hit single could easily describe the approach that many organisations have taken over the past five years to safeguarding the personal, confidential data that they hold.
With the numbers of data breaches reported increasing tenfold over the past five years, according to the Information Commissioner's Office, public trust in the ability of both private firms and Government organisations to safeguard personal information has fallen sharply.
In a December 2012 survey of over 2,000 members of the UK public, 50 per cent said their trust in Government and public sector bodies was diminished as a result of these ongoing breaches and losses of personal data, while 44 per cent said their trust in private companies was reduced. Naturally, we expect organisations to handle our personal data responsibly, and with care.
But a majority of us, as knowledge workers, don't always apply the same levels of diligence in our own working practices. The same survey found that 34 per cent of workers regularly forward material to personal email accounts so they can continue working away from the office; 40 per cent check work email regularly on personal phones, tablets or laptops; 33 per cent carry work-related data on unencrypted USB memory sticks; and 17 per cent use insecure cloud storage services such as Dropbox.
Furthermore, 25 per cent of workers said they take these actions even though their company's IT policy specifically forbids them, while a further 23 per cent weren't aware of what their company's policy stated.
Of course, in the vast majority of cases, there's no malicious intent by the employee – they are typically focused on being efficient and getting their jobs done, and no data is lost. But this has the unfortunate effect of reinforcing such risky actions and in today's business and regulatory climate, organisations can't afford to continue down this path, because of the risk of reputational damage, financial costs, and of course, loss of trust.
So how do organisations close that ‘trust gap', so that they can trust employees to handle data responsibly, and protect against simple human errors of misplacing a laptop, smartphone or device, or miskeying an email address? Also how do organisations prove to external parties that they can be trusted?
A two-stage solution is needed: one that educates users about their actions in real-time, and also enforces security without the user being able to affect it or turn it off. We will look first at how email data breaches can be curbed; then at how data in documents can be secured, irrespective of the medium or device on which the document is being sent or processed.
Traditional data loss prevention (DLP) solutions have tried to address the email issue, but with limited success. They usually take a long time to set up, with weeks of intensive ‘training' needed to help the solution accurately classify an organisation's sensitive data and files, and also demand close involvement and intervention of IT staff in either allowing or blocking users' emails.
A different approach is to involve individual employees in the security process. This not only boosts user awareness of appropriate email usage, but also makes DLP truly preventative, alerting the user before they can send an email that may cause a loss incident.
For example, an employee composes an email, addresses it and clicks ‘send'. The DLP solution should analyse the body of the email, complete with its attachments, and the intended recipient's address, against a set of pre-defined characteristics to identify potentially sensitive data.
This could include for example, certain key words in the email body text such as ‘financial', ‘report', ‘specifications', ‘confidential' and so on. Also, file attachments should be scrutinised. If the DLP solution detects a potential breach based on its analysis, it overrides the ‘send' instruction and shows the user a pop-up, informing them of the potential risk and asking how they wish to proceed.
The user then decides if they: a) want to send the email and its attachments as it stands; or b) correct the body text or remove the suspicious attachments. As well as creating a decision point for the user, encouraging them to review what they plan to send and to whom, the DLP solution keeps records of the user's actions, giving an audit trail for subsequent analysis. This increases user responsibility, and helps to correct any potential security issues before an incident happens.
Of course, email isn't the only vector for data leaks. Documents and other files easily become scattered across email inboxes (often replicated on smartphones, too), on laptops, in webmail or other cloud apps, and on removable storage. This multiplies the chances of an unsecured, sensitive document going astray, especially as encrypting an entire device is not always possible.
Traditional document security has meant password protection: but that offers almost no defence to freely-available online tools that are designed to crack file passwords. What's needed instead is a method of securing the file using strong encryption, together with a method for granting access to those files based on user permissions. This would enable documents in a variety of formats (Excel spreadsheets, Word, PowerPoint and Acrobat files, and others) to be created and secured, with different rights assigned to different users or groups of users. A basic default would be to ensure documents can only be read by authorised employees.
Users can then access or view documents when they have the relevant permissions, which are set by the author or organisation. For example, only HR or finance personnel may be able to access and edit certain documents, with their credentials being assured by the use of the correct client on their device, together with username and password. Documents could also be shared outside the organisation, with certain restrictions on usage, and viewed either in the cloud (after the user has accessed the cloud service using the relevant credentials) or with the use of a secure client on the user's PC or device.
This two-stage approach to managing data and preventing losses closes off the most common data breach vectors, while communicating and enforcing the organisation's security policy to employees by entrusting them with some responsibility over their actions. This also gives organisations an opportunity to reinforce their trustworthiness with stakeholders. After all, good business has always been a matter of trust.
Terry Greer-King is the UK managing director for Check Point