The Zurich Insurance fine that was issued earlier this week has caused much debate on data loss and protection. Omar Hussain, CEO of Imprivata, looks at the issues created because of it.
Despite extensive legislation designed to safeguard sensitive information, data losses and unauthorised access to intellectual property are still worryingly commonplace. Consequently, organisations need to have more control and visibility over who is accessing data and where it is being stored.
Without this, not only do they risk losing critical information, but are also subject to substantial fines and damage to their reputations which can have a significant and lasting effect on customer relationships. To avoid loss and theft of sensitive data, businesses should therefore focus on a few key areas.
Start on the inside
When we think about IT saboteurs, the majority of people picture a professional cyber criminal or hacker bent on stealing highly confidential information or wreaking havoc with your business. In both cases, the perpetrator is usually an outsider who breaches the data network of a company with malicious intent, be it financial, political or otherwise.
To protect themselves from this threat, businesses have implemented layers of physical and IT security around the perimeter of their organisations. What they have overlooked in the process, however, is another equally critical threat, which according to Forrester Research is responsible for 70 per cent of all data theft – the insider attack.
Internal threats can come from malicious people who, at one time or another, were on the payroll of the organisation and have knowledge of how to navigate the system to gain access to critical data. Yet, often trusted, well meaning employees leave confidential data at risk because they are diligently conducting the business at hand, and security is not top of mind.
We have long ago concluded that the most effective way to protect data is to remove the responsibility of securing it from the users. In order to run successful businesses, our customers' users; doctors, police officers, lab technicians, for example, need to focus on their own accuracy and productivity, not on securing data.
Single sign-on (SSO) and strong authentication technologies, such as Imprivata OneSign mitigate the risk of an insider breach by removing the password burden from the users, protecting unattended desktops and monitoring user access.
As well as regulating access to data according to role, access management can also be location specific, which can help to secure the most sensitive data for remote working purposes. For example, a broker could access customer account information when inside the main office building yet only have restricted access to this highly sensitive information when accessing the corporate network from home.
Desktop virtualisation and thin client infrastructures can further serve to allow IT staff the ability to monitor and manage access based on location, meaning that those logging on remotely could be subject to access restrictions if required.
Furthermore, if devices have been lost/stolen, access to the corporate infrastructure can be simply blocked at the server. This all contributes to the overall data security of the organisation and mitigates the possibility of data loss or indeed data theft.
Mobile devices and virtualised environments
Organisations that attempt to implement data loss prevention (DLP) strategies may find it impossible to secure the data without it being a tremendous burden on both the user and the IT organisation. Encryption and repeated log-in and log-out processes are commonly used in DLP schemes, which can be problematic when encryption keys are lost and users are locked out.
In addition to this, controlling and preventing users from downloading data to USB or SD memory devices has been notoriously difficult. A single quarter sized SD drive holds 16GB of critical IP which could be anything from financial data to customer details to staff HR data. This is a huge amount of sensitive information that a user could essentially download and take out of the building.
VDI environments offer a solution to these problems and by centralising desktop and application data, significant time and money can be saved from purchasing, managing and upgrading individual endpoints at a desktop level. The inadvertent loss of data through downloads can also be eliminated, as for example in a thin client infrastructure, IT managers can control what devices can be used; USB ports can be shut down and printers deactivated to further restrict potential breach points.
All this can be done from the server with no opportunity for the end-user to over ride the policy. With access management remaining an important issue in thin client environments, technologies such as SSO and strong authentication can also be used to further help IT managers maximise the flexibility of thin client computing, whilst ensuring the right levels of security are achieved.
If it's too late
Despite the preventative methods that can be used to lock down and secure sensitive information, data losses do sometimes occur. It is often the case that the organisation will be unaware of this loss until the information itself is violated, which can often lead to serious ramifications.
Technologies are now available, which empower businesses in this position by allowing them to gain control over data privacy exposure and quickly align with country/regional legislations. By taking responsibility for security, businesses can therefore mitigate damage by proactively notifying customers, regulatory bodies and other affected parties of any data loss.