Sacha Chahrvin, DeviceLock: The end of the line for security…
March 2009 by Sacha Chahrvin, Managing Director DeviceLock
Journalists love to write about IT security breaches and scares, even though they have been happening for a while. Virus attacks, lost laptops, hackers or individuals having their bank accounts emptied will always make the news. The example of the TK Maxx security breach, where hackers compromised the payment card details of over 45 million customers over a 16–month period, has refocused attention on the importance of data protection.
But it’s much rarer that malicious employees and the havoc they can cause makes it into the papers. Admittedly, the press do report on county councils losing laptops containing confidential employee information. But it is unusual that the public hears of security breaches that are deliberate insider attacks.
But that certainly shouldn’t make anyone think that it doesn’t happen. With the proliferation of high-speed CD drives and USB ports Wi-Fi and Bluetooth, there are many ways for a disgruntled employee to steal or replicate private company information. And with USB drives of 4GB costing less than £30 , iPods that go up to 80GB and even larger external hard drives not much bigger than a pack of playing cards, it is very easy for a user to leave the office with the organisation’s entire customer database or its future product development plans in their pocket.
When key employees are about to leave an organisation they are frequently put on ‘gardening leave’ as soon as it is agreed they are going, so that they have no further access to corporate systems. But can you find out what they accessed the previous day? Or what they might have copied onto their digital camera memory card or MP3 player just last week?
These are deliberate attacks with malicious intent. But they’re not the only thing that companies should worry about. I wonder how many sales executives have copied product details or customer information onto a USB memory stick so they can access it while travelling between client organisations? Mobile working at its best – until the device gets lost.
Many organisations now realise that they need to control any user device that connects to the network, as part of their wider endpoint security policy. Indeed some companies have gone as far as disabling all ports and devices that allow users to copy data from the network. But this universal blocking of users isn’t necessarily the most effective ongoing solution for the business, despite the additional security it provider.
Treading the fine line between security and system usability will probably always be a problem for IT security managers. It is possible to build a secure database that can never be hacked or breached. But it would probably be isolated in a bunker underground with 24-hour armed guard and no connection to the outside world.
Undoubtedly this is a good solution for the security team, but that doesn’t ring true for the employees who need to view and update the data it contains on an ongoing basis. However, as soon as you open a system for legitimate users and allow them access, there is the potential for a security breach.
However, USB sticks and CD drives have not grown in popularity because they make data theft easier, but for the real difference they can make to people conducting their daily business. Information is the company’s life blood, and people need to access and move it around, copy it or take it out of the office as part of their job. Simply removing that option isn’t a realistic solution.
Organisations must start to take a proactive, flexible approach to endpoint security. This includes both the tools necessary to manage the system and the policies and employee training required to make it work. The IT security team should be able to add and remove layers of security as required by users so that they can do their jobs effectively, without making systems vulnerable. And employees need to be aware of the risks of corporate data theft and ensure that they act as the eyes and ears of the organisation, flagging up potential problems before they become reality.
If a company’s people and information are its two most valuable assets, the organisation needs to find a way of working with both so that they deliver the maximum possible value.