Following a year where data loss and prevention dominated the headlines, Stonewood CEO Chris McIntosh looks back at 2010 and how a new year should mean a new attitude.
In November 2010, a major security milestone was passed. The Information Commissioner's Office (ICO) imposed civil penalties on Hertfordshire County Council and A4e for a total amount of £160,000 in response to breaches of the Data Protection Act.
Whether this does represent the ICO crossing the desert and making much more use of its power to punish organisations financially, or whether these fines will remain a rare occurrence, remains to be seen. What is certain is that, in tandem with highly publicised fines by other bodies such as the FSA's £227,500 fining of Zurich Insurance for losing unsecured data in South Africa in 2009, these penalties are making organisations much more aware of the need to encrypt and protect data.
The true cost of such punishments does not necessarily come from the financial penalty in isolation (after all, A4e's fine of £60,000 was a pittance compared to its 2010 turnover of £190 million). Instead, it comes from the damage caused to organisations' reputations, as well as the risk of any follow-up litigation that could come from customers and workers affected by a data loss.
Beyond this, a data loss will also expose possible critical parts of an organisation, such as personal details and business plans to unwanted eyes and the consequences could range from a simple fine to the destruction of a long-planned strategy. The need to protect data is clear; however there are still a number of considerations an organisation must take into account.
Firstly, organisations must always strike a balance between making data accessible and making it safe. While data that is fully accessible will be wide open to theft or malicious use, on the opposite end of the spectrum the only way to make data truly secure is to prohibit any form of access whatsoever: a highly impractical solution for most information. Data encryption allows organisations to balance on the line between access and security, keeping data secure unless a user has the correct means of access.
Broadly speaking, encryption falls into two camps: software or hardware-based, and each has its own particular benefits. For example, software encryption has lower up-front costs than hardware and can be relatively easily installed.
However, software encryption is also more vulnerable to certain attacks, as it cannot be entirely isolated from an operating system. Similarly, if an attack is successful software encryption will not always give any sign of the breach, whereas with hardware encryption the physical evidence of tampering tends to be easy to spot.
As hardware encryption's higher up-front cost is offset by a lack of ongoing support and licensing costs, the choice between software and hardware-based encryption becomes relatively simple. Essentially, do you choose immediate up-front value and the chance to tick the ‘encryption' box on a security checklist, or watertight security and a lower long-term cost?
Regardless of which type of encryption an organisation chooses it will want to ensure it has the most appropriate product for its needs. With encryption, it is important to look for a form of accreditation on the product: this will show that it has satisfied the rigorous demands of various professional and government bodies.
For example, Federal Information Processing Standard (FIPS) 140-2 accreditation covers four levels and is the highest level of accreditation available for corporate encryption products. If an organisation needs to secure more sensitive, government data then accreditations such as the UK Government's Communications-Electronics Security Group (CESG) grading will come into play, showing whether or not an encryption product is equipped to deal with data all the way up to top-secret military and government documents.
As with any part of a security strategy, encryption accreditation should not be seen simply as a box to tick. All accreditations have levels and organisations must choose carefully that which is appropriate for their data: too low and data will be at risk; too high and the organisation will be paying over the odds for unneeded capability.
For example, confidential data stored in an open, accessible environment will need a much higher level of accredited encryption than relatively harmless data in a secure vault. Organisations must choose carefully the exact product that is right for their particular data.
Even when encryption is fully accredited, carefully researched and put in place, organisations should never simply assume that data is secure. There is always the potential for human error and for unforeseen weaknesses to appear. The best security products on earth are no substitute for a firm, rigorously enforced security strategy that combines security technologies with well-thought-out, enforceable policies to ensure that data is protected at every single point of its lifetime.
Whether stored on a server, laptop, CD or transmitted over the airwaves or internet, data must be as safe as possible. New threats to data are always emerging but by adopting encryption and other security strategies appropriately, organisations should never find themselves vulnerable to attack or information loss.