Every month we see another story hit the headlines of how a household name has lost customer data. These type of incidents can cost millions to put right, not just in updating the IT systems, but in terms of lost revenue due to loss of good reputation, and potentially punitive fines.
When the new EU General Data Protection Regulation (GDPR) comes into force, expected during 2017, fines for non-compliance could be 5 per cent of global turnover. This is a significant sum for any size of organisation and deserves serious consideration.
Lost or compromised data costs
The causes of data breaches are many and varied, but the majority are a result of either malicious attack or human error. Recent research into the root causes of data breach found that 47 per cent involved a malicious or criminal attack, and 25 per cent involved a negligent employee or contractor.
The losses arising typically fell into three categories:
- The value of the data stored on the device itself
- The increased risk of a targeted attack on the company’s people and systems
- Fines levied by regulatory authorities, particularly if the breach involved personal information.
How organisations fail to protect data
Many companies lack policies for governing how data is managed and protected, especially on portable devices. This is often accompanied by limited awareness among employees about the implications of their actions and what they can do to reduce risk.
Businesses fail to adequately protect data stored on desktops, laptops and portable media, often due to some common misconceptions.
- Just because a user needs to enter a password to log onto their Windows domain, doesn’t mean that the data is protected. A hacker could still easily access the data.
- Many companies install Endpoint Protection products to protect devices from malware and targeted attacks, assuming that this will protect the data. It doesn’t.
- Even with full disk encryption, if data can be copied on to an unencrypted portable device (such as USB devices or smartphones), then the data is still at risk.
However, if security is too complex or restrictive and impacts peoples’ ability to do their work, they will simply find a workaround, leaving a company in an even worse position falsely believing that their data is secure.
Cabinet Office supports flexible working with encryption
The Cabinet Office, which is the government department that supports both the Prime Minister and Deputy Prime Minister, ensuring the effective running of government, faced a similar problem to many commercial organisations. They needed a security solution to protect data held on laptops. The challenge they faced was maintaining a high level of security while improving the user experience. Previously they had used two factor authentication resulting in lengthy login times, and loss of tokens causing disruption to both the user and manager.
By installing a solution that provides strong encryption, that is transparent to the user and without the need for two factor authentication, they have significantly improved login times for users, and removed the disruption caused by lost tokens. As the security solution can be managed centrally, the IT department can provision devices quickly and easily, reducing waiting time for staff, and dramatically reducing the cost of ownership.
The adoption of more flexible and mobile ways of working is a key enabler for Cabinet Office staff, and good data security is a key component of this. Productivity is maintained, while laptops are managed and controlled centrally, saving time, resources and protecting valuable data.
In a world where cyber attacks are on the increase, at least if the worst happens and data is stolen, if it is encrypted, it is worthless to the criminal.
Five Practical Steps
1. Protect your data
Implementing effective security measures begins with understanding what data you have, where it is stored and how it is shared. More breaches occur from data being copied onto removable media and devices, rather than lost or stolen laptops. Protect your data by ensuring that any data that is copied to a peripheral device is fully encrypted.
2. Don’t rely on single layers of security
Multiple layers of protection reduce your vulnerability to malicious or accidental breaches. For example, as well as requiring user authentication via password, you could implement technology on your devices that prevents the hard disk being unencrypted if removed from the device.
3. Reduce complexity where possible
The more convoluted your security procedures for users, the greater the likelihood of breaches as a result of their actions. Enabling single sign-on to any device limits the impact on your users and reduces your risks.
4. Security is key – but the business still needs to operate
If your security policies and technologies prevent people doing their jobs, they’ll inevitably find a way to bypass those controls. When implementing technology solutions, check that they’re flexible enough to meet the needs of your business and your users.
5. Ensure you have effective management control
Having the right technology on your endpoints is of limited value if you can’t easily manage that technology and you don’t have visibility of what users are doing on their devices. Ensure you have the tools to monitor and report on which devices have been encrypted and what data users are copying to removable media.
If you can’t prove to regulators that you’ve taken all reasonable measures to protect your data, you’re more liable to receive a substantial penalty.
Image source: Shutterstock/Maksim Kabakou