Greg Day, EMEA McAfee: European Businesses need to take responsibility for the security of their data, and protect themselves against both internal and external threats
March 2008 by Greg Day, EMEA Security Analyst, McAfee
In the last year the issues around data loss and security have rapidly moved into the public arena. In a world where mistakes can have a significant impact on both individuals and businesses and where data is exchanged, bartered and even stolen at an alarming rate, it’s no surprise that security of personal information has become a top feature on the public agenda.
The Data Protection Act was introduced in 1998 to provide businesses with a set of guidelines to ensure that data is handled safely and securely. Covering everything from data processing to security, the Data Protection Act is extremely far reaching and has been interpreted and implemented in a variety of different ways by each country within the EU.
Given this wide scope and varied implementation it has become a near impossible task for regulatory bodies, such as the Information Commission in the UK, to track how businesses are handling their data. In order to rectify this situation a stronger onus has to be placed on businesses themselves to monitor, evaluate and assess their own data management and security.
Most organisations strive to make certain that they are compliant with legal policies which ensure the safe handling of sensitive information, yet many fail to take into account the threat resulting from their own employees’ practices, whether that be malicious or simply human error.
So, while companies should, at the very least, employ a basic risk management strategy and implement policies and technology to safeguard data from external attack, the harsh reality is that corporate data can easily end up in the wrong hands due to employee error or malpractice. Therefore, protecting against external threats alone, or even prioritising them over the threat from within, simply isn’t enough.
The reality of data loss
The impact of data loss caused by employee error is apparent across Europe, causing huge public outcry and often with enormous political and social implications.
A recent high profile case was the Ferrari espionage scandal in September 2007. The Formula1 industry was taken aback when the World Motor Sports Council (WMSC) fined Mercedes McLaren $100 million for using stolen information about Ferrari’s F1 cars to build their own. It eventually transpired that Mercedes McLaren’s chief designer had received technical information about Ferrari’s cars from a member of the Ferrari team.
In the UK, data loss has been a cause for significant public unease over the last two years, with the surfacing of a series of large-scale data security disasters caused by human error. In 2006, high street clothes retailer TK Maxx, lost credit card details belonging to thousands of their customers, sparking huge public concern in the UK about the safety of their personal and financial data. In 2007 the issue of data loss was again brought to the nation’s attention when a junior official in the British Government department responsible for collecting taxes, HM Revenue and Customs, lost a CD containing unencrypted personal data about thousands of Britons. This particular incident resulted in a huge public enquiry into the safety of the nation’s data.
Last year in the Netherlands, an official in the Dutch Foreign Ministry lost a USB stick containing secret entrance codes to the home of a Dutch diplomat and the names of all the guards who had accompanied the Prime Minister on a recent trip to Poland. This caused a massive public outcry and jeopardised the safety of other officials.
With incidents like this it’s no wonder that the public are becoming more concerned about how businesses and even governments are protecting their data.
For companies, the impact of data loss can be extremely serious. A company’s business and brand reputation can be severely damaged and it can even lead to legal action if the business is in breach of regulations such as the Gramm-Leach-Bliley Act (GBLA) and the Sarbanes-Oxley Act (SOX).
In 2007, Ernst & Young and Nationwide all suffered reputational challenges when the social security numbers, names and address of thousands of employees and customers were left open to identity fraud after unencrypted laptops were stolen from the homes and cars of the workforce.
In February 2007, McAfee undertook research (The Inside Threat: A data loss disaster) within the European business community which found that investments in solutions to protect corporate data from external threats and hacking are being undermined by the failure by businesses to fully communicate company security policies and lax employee behaviour. In fact, the research for the report showed that 37% of European businesses do not have a set policy for handling sensitive documents and, in cases where policies do exist, 24% of employees don’t know what they are. The very traditional idea that threats facing enterprises originate from the outside has resulted in many European businesses failing to look at their security strategy in reverse. Like it or not, today’s workforce is, sometimes unknowingly, posing an ever more serious security threat to corporations. This is a threat that has the potential to damage not only the brand and reputation of an organisation but possibly even the business itself.
The problem with the law
The main problem with the current EU law on data protection is the sheer enormity and breadth of the legislation. The complicated nature of data protection law and the lack of resources put into monitoring compliance by governments have resulted in a relative quagmire of software and processes which are largely left unchecked and unregulated.
But what can businesses do to prevent potentially disastrous data loss? EU law currently penalises companies for not complying with a host of different rules and regulations – but who is monitoring it? And how can data loss be prevented?
Businesses need to take it upon themselves not only to establish their own processes, but also to monitor and fine-tune them once they are in place. Whether this is done by creating a role within the company which has specific responsibility for data security or with the assistance of an independent body, it should be something that the law enforces.
In the US, state law is written around protecting the individual consumer, adding yet another layer of confusion for European businesses looking to trade with American customers. For example, the State of California enacted legislation in 2002 that requires state agencies or businesses that own or license computer data with personal information to disclose to California residents when the security of the data has been compromised, including notice on the agency or business website.
Given that no equivalent of this law exists in Europe, European businesses holding personal information about Californian customers are required to announce any compromised data in California, but not necessarily in their country of origin. This of course leaves the European business in state of confusion, and unfortunately, there is currently no easy answer to this complicated dilemma.
How can businesses protect themselves? To protect the company data, brand and reputation from the damage of data loss, the best solution lies in a combination of employee education and a smart investment in a comprehensive security risk management solution.
Security Risk Management (SRM) is an approach that integrates threat protection with compliance. The technology component of a comprehensive SRM approach must include threat prevention capabilities such as anti-virus, intrusion prevention, anti-spyware, integrated with compliance management capabilities such as policy enforcement, vulnerability remediation, network access control and audit capabilities.
While most Data Loss Prevention (DLP) solutions (gateway- based solutions) prevent the unauthorised transfer of sensitive data via e-mail and the Internet, these solutions don’t monitor desktop activities. Organisations must deploy a host-based DLP solution that controls the insider threat from both vantage points. The solution must offer universal protection, even for USB drives and laptops, to improve oversight of endpoint activities.
Another key requirement is content-aware control, to prevent losses by monitoring how data is accessed, created and manipulated. Even data that is copied, pasted, compressed, or encrypted must be protected – without interrupting everyday business activities.
The upshot is that businesses need to do what the law does not – take responsibility for monitoring, evaluating and updating their security solutions to take into account employee behaviour as well as external threats. Only through accepting that they must enforce this themselves can businesses ever become truly compliant with regulations and ensure that their data is as secure as it can be.