Cyber security: the carrot and the stick

Opinion by Joseph Souren

Cyber security is the latest business battleground and an international issue that's rarely out of the headlines, while cyber crime is an ever-present threat to companies.

Cyber security is the latest business battleground and an international issue that's rarely out of the headlines, while cyber crime is an ever-present threat to companies.

Businesses are understandably concerned, and it's a threat that the Foreign Secretary, William Hague, has described as "alarming" and "a rapidly multiplying set of challenges".

But whilst it's clear that governments understand the issue, what are they actually doing about it and what does this mean for your organisation?

The stick

Governments are deploying both the carrot and the stick in their efforts to get to grips with the growing threat of cyber crime. Around the globe they are updating their data protection and compliance laws that will mean all organisations must not only protect data on their IT systems, but also prove that they have made the best efforts to do so.

Perhaps the most-publicised of these updates came in January when the EU announced its new data-protection regulations, a mandate that affects every company and organisation both inside the European Union and across the world.

When these regulations come into force, for the first time companies will need to show proof of compliance, and that means having in place an effective reporting process that demonstrates in detail the network security and data protection methods in action. This move to mandatory reporting and full compliance means that companies can now face substantial fines and other sanctions if data breaches occur, and they will have only 24 hours to act.

The problem is that most companies in the UK and Europe still rely on data-protection policies and technologies that are as dated as the EU's 16-year-old regulations. The point of the new policies is to drive companies to review and upgrade their security, compliance and reporting processes.

The carrot

Governments are also dangling a carrot by throwing their weight behind new technologies and security systems designed to tackle the ever-evolving threat of cyber crime.

One thing that's clear is that traditional software-based security is failing to assure the integrity and security of our IT infrastructure, and so a new solution is needed to meet the threat landscape that is facing systems.

Government support suggests that solution may involve moving inside the device to secure the very hardware itself, based on the in-built security provided by the Trusted Computing Group standards.

The base of Trusted Computing is the TPM hardware chip, a security solution that is already included in more than half a billion devices, and yet most companies aren't using them. TPMs are attached to a computer's motherboard and establish automatic and transparent authentication of known network devices and users; and because the TPM chip is physically part of the device, it's uniquely suited for creating and verifying strong device identities and ensuring only authorised access to networks.

It's perhaps no wonder then that the Trusted Computing open standards on which the TPM is based has gained the support of the US and UK governments. Indeed, the Information Commissioner's Office and the Cabinet Office have been actively promoting the benefits of Trusted Computing as a solution to the growing threats that British businesses face around data protection.

The Trusted Computing standards involved companies using the TPM as well as adopting self-encrypting drives as part of their enterprise-level protection. The benefits are trusted device interoperability on the network, substantially reduced costs of device management, clear control of data storage, and absolute control over hard-drive decommissioning; which is another major cost-saving.

Trusted Computing is also essential as organisations move beyond the firewall. This device-based security solution offers unmatched protection, particularly for modern-day organisations where workforces and their devices are mobile and move beyond the safety of the firewall. It will also play a key role as organisations continue to move towards the cloud and prepare to face the unique security challenges that this evolution in IT infrastructure will present.

Organisations should consider adding device identity as an independently managed layer to help protect their data. 

Joseph Souren is general manager at Wave Systems EMEA


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events