How to nail down your risk and compliance strategy for the cloud

This article was originally published on Technology.Info.
As part of our continuing strategy for growth, ITProPortal has joined forces with Technology.Info to help us bring you the very best coverage we possibly can.

Email is a ubiquitous communication resource for businesses today. Used to perform essential business functions, organisations rely on email to send sensitive information within and outside the organisation. Yet the prevalence of email as a business tool also makes it vulnerable to exploitation and data loss. In fact, email accounts for 35 per cent of all data loss incidents among enterprises according a recent industry study.

The Ponemon Institute said data breaches cost companies an average of $194 (£119) per compromised record, of which $135 (£83) is indirect cost, including abnormal turnover of existing and future customers.

graph

2011 Ponemon Institute Cost of Data Breach Study

  • Educate employees - So many employees are unaware of the threats that are out there, take the time to teach them about these threats. Train them on how to avoid “risky behaviours” with their email and web browsing habits.
  • Limit threat exposure - It is perhaps online behaviour that bears the most scrutiny. Mitigating the risk through the use of a reliable email and web filtering solutions is essential. One popular means of infection is through email, whether it is an infected attachment, embedded scripts or a link directly to malware. Using a quality email filter can prevent you from ever coming into contact with such threats. Likewise, a reliable web filter can block malicious web pages when an unknowing victim is attempting to access them. Many of these infections lay in wait on trusted websites that would ordinarily be harmless.
  • Control physical access to your network. Protect yourself from unauthorised users on your internal network, especially off-site where company laptops can become enticing targets.

Don’t:

  • Ignore your disaster recovery plan. For the busy network administrator, updating a disaster recovery plan may seem like a waste of time – until you need it. A comprehensive backup plan should include: issue detection, notification of affected personnel, plans to isolate affected systems, and a list of actions necessary to repair the damage and restore productivity.
  • Put off upgrades. If upgrading all systems in your organization at one time is not feasible, do the upgrade in stages and concentrate on the most exposed systems first.
  • Allow employees full access to the company network. Employees should only have access to information required to perform their jobs. The authority to install software should also be limited to the network administrator.

Business leaders and IT leaders should work together to determine what type of plan is necessary for their organisation and which system(s) and business units are most crucial to the company.
Sound planning now will pay off large dividends later.
Email security
Based on the growing volume of sensitive information crossing networks daily, regulatory bodies have turned their concerns to ensure messages are protected from unauthorised viewing. Regulations have been introduced to mandate that email messages containing confidential data are handled securely.
The following list includes just some of the requirements that are driving encryption adoption in the UK and around the world.

  • EU Data Protection Directive (also known as Directive 95/46/EC)
  • Payment Card Industry Data Security Standards (PCI DSS)
  • Health Insurance Portability And Accountability Act (HIPAA)
  • Sarbanes-Oxley Act (SOX)
  • Gramm-Leach-Biley Act (GLBA)

The consequences of violating these and other industry encryption requirements can include fines, incarceration, public embarrassment, loss of business privileges and customer/stakeholder trust. Of greater concern, however, is the potential loss of personal or private business information.
The solution
Data that is effectively encrypted is unusable to the party who recovers it as long as they lack the proper decryption keys and means to decrypt. Many data breaches could have turned into non-incidents if the data had simply been encrypted.
End-to-end encryption solutions ensure the uninterrupted protection of transmitted data by encoding it at its starting point and decoding it at its destination. Look for vendors that offer encryption solutions that wrap around any existing email infrastructure or application so that your organisation does not have to replace existing technology, including email addresses or email programs. Also look for solutions that provide certified email delivery and tracking slips so that authorised individuals may see multiple characteristics about any given message, such as who sent it, who received it and how it was handled, including deletions, forwards and attachment downloads that are time stamped with corresponding IP addresses.
In the past, we protected our businesses by locking our doors and keeping our important papers in a safe deposit box. Today’s interconnected world means that businesses have to apply that same level of commitment to protecting data and safeguarding the information entrusted to them.
Fred Touchette, CCNA, GSEC, GREM, GPEN, Security+, is a senior security analyst for AppRiver.

Topics