In our recent Data on the Move survey, in association with Egress, the respondents were asked about how they share and send information and the security practises surrounding it.
Following coverage of the survey in the July/August issue of SC Magazine, I caught up with Egress CEO Tony Pepper to discuss the findings. He pointed at one of the statistics that said that 74.5 per cent of the 160 respondents had received a ‘recall' message, while 92.6 per cent said that the ability to prevent an email recipient forwarding on an email was important.
Pepper said that with encryption, a message could be ‘recalled' as the key can be revoked to prevent it from being opened. “Security is a barrier to business, and this is an issue to address but business is not using security, as it is seen as being too difficult,” he said.
“It should be about ease of use. As soon as it becomes difficult, security is overlooked but as soon as it becomes difficult, people will not use it.”
Quentyn Taylor, director of information security at Canon Europe, said that a recall message would only be possible if users were on the same exchange server, but generally it would be a beneficial factor.
He said: “I would have thought it would be closer to 100 per cent, but if only 74.5 per cent have received it, it is a matter of education, as one email can be sent to the wrong person. You don't have the ability to stop a message, as once it has left the building, unless you have a legal or contractual relationship with the recipient, you have no recourse.”
The survey also found that 94.5 per cent of recipients said that security is overlooked because it is too complicated for the sender and recipient. Taylor said that the issue is that there is a need to share confidential information, but the need to do it at speed is overridden by the confidentiality factor.
He said: “If you don't need to share it, then do not. Data breaches are unusual and are not what normally happens, so users should see it that if you do not use it then it will not happen, but if it is shared in this way it will.
“People will make decisions and not a risk assessment.”
Speaking to SC Magazine, security consultant Nik Barron said that there is a growing problem with the uncontrolled use of third party ‘big file move' sites, but often there is not a corporate standard in place for this, or staff are simply not aware of the option.
He said: “We've had the same issue internally, and it's a real pain to try to educate people as they often don't consider the data sensitive (the old ‘no one would be interested in this') defence, or use a third party service in an unsafe manner (no HTTPS, poor password security etc).
“In most cases end-users just want to get the job done, and will use whatever they have to hand.”
In its findings, the survey also discovered that FTP was used by 50 per cent of respondents. Barron said that FTP is a lower risk as it is easier to firewall, but the real problem is the plethora of web-based file transfer sites.
Taylor said that this is the "consumerisation of FTP", as much as it is "bring your own file transfer protocol" or "bring your own Software-as-a-Service". He said: “I think [there are] reasons employees use such technologies to get data around, but a lot is down to education and awareness of users to make sure they are aware and know to ask how to do that. Also, IT teams need to work with their staff, as they don't like to be the people who say no.”
Jonathan Armstrong, lawyer at Duane Morris LLP, said that there is often a ‘historical' view of encryption technology. “I remember in the late 1990s, going to a preview on how encryption works and it was very complicated, it was written by techie people for techie people but as the mass market has become involved, it has become more user-friendly,” he said.
“It is designed to be very simple and, as the Data Protection Act obliges you to use the best technology available, I would suspect many businesses never look at other technologies to see if it does a better job than what is currently used. Most organisations have got to do a fresh review and come to the conclusion that email encryption is essential.”
Reflecting on the results, Pepper said: “We continually help organisations that are struggling to tackle the challenge of sharing information securely with third parties. Operating in a market defined by compliance, yet driven by convenience, security solutions need to be simple to use and designed to improve working practises.
“While they continue to add complexity and unnecessary process, users will invariably avoid using them and instead opt for convenient methods such as unsecured email and consumer file sharing websites. This dramatically increases the likelihood of data loss, potential fines and damaged reputations.
“Through our work with SC Magazine to produce and deliver this survey we have been shocked by the sheer scale of the issue across multiple industry sectors. The fact that 40 per cent of senders do not know what is happening to the information after it has been sent is a real concern both for the organisations responsible for that information and for the people whose data and security has been potentially breached.
“We find organisations are crying out for help and guidance, not only when selecting the right security technology but also when educating their staff and end-users about when and how to send information securely.”
The fact is, if something is too complicated then staff will find a way around it that makes it easier for them to get things done. Not that this is definitely an unsecure method, but you wouldn't want to be one of those receiving a call to be informed of the bad news.
Technologies exist to prevent the issues detailed in this survey, but if you teach your staff the right way to do things, chances are they will learn and your risk management will have included the most vulnerable factor – people.