Endpoint Protection

Listening to the local radio this morning I heard the story that the BBC has been forgetful with its laptops and mobile phones. Apparently, as reported by the Guardian and various other sites following a Freedom of Information request, that the BBC over two years has misplaced 146 laptops, 65 mobile phones and 17 blackberry devices. It is unknown if these devices were lost or stolen but the main complaint seems to be the cost to the tune of about £240,000. Although about 10% has been recovered this should not be the primary concern.

The primary worry should be the data on those laptops - If we assume that they contained 250Gbyte disks and that on average each disk would be 50% full then that means over 18Tbytes of data in total not including the mobile phones and blackberrys. I accept that a lot of the data is applications and internet related stuff but the implication is there. There is no indication if the data was encrypted or if any of the data was personal or in anyway potentially damaging to the organisations or employees. Perhaps a further FOI request should be made to further clarify.

If the BBC is capaable of losing this amount of information then consider all the organisations of similar size losing similar amounts of information to understand the scale of loss.

The case for DLP is clear. Keep those comments coming!!

First it was the cuts in private sector firms and now it is the public sector. The easiest and quickest cuts that make a difference to the bottom line are to remove people who are usually the largest cost item. Sadly redundancy is now a major occurrence in a working life. I know of many capable, intelligent and hard working people who have been made redundant two or three times in their lives sometimes more. It is increasingly a tool of organisations to quickly get rid of people. In general, redundancy is never executed against the legal guidelines which results in court cases and compromise agreements.

So what has all this to do with Information Security. The removal of staff from an organisation is currently the biggest threat to an organisations information. Redundancy or whatever method is used can result in animosity, resentment, and malicious intent on the part of the former employee. Of course most organisations are understanding and sensitive to emplyees and most follow the rules. However, sales of DLP software has been rising and the most sited reason for purchase is protection of contact databases, intellectual property and sales information from disgruntled employees.

The threat is real and active and who knows how much critical informaiton has been taken by upset and revengeful emplyees without anyone knowing. Please add any comments to this post on your experiences of cost cutting and data loss.

Computing reports despite yet more data losses, more organisations are waking up to the need to encrypt mobile devices. How many times do significant data losses have to occur before both private- and public-sector organisations face up to the fact that encryption, whether applied to laptops, USB memory devices, or other mobile devices, is the only sure-fire way of stopping personal and business-critical data from going astray? Recently, four NHS trusts have been found in breach of the Data Protection Act (DPA) by the Information Commissioner’s Office (ICO), and all of them have agreed in future to encrypt all portable and mobile data on devices.

SC magazine reports on a survey by Checkpoint regarding the growth and implementation of encryption technologies among UK businesses.

The results showed a small growth of just one percent since November 2007. Just under half of the survey participants said that they had implemented encryption and the rest without any level of data encryption.

Given the high profile data loss of public organisations over this period, the importance of data security seems to be of a lower priority perhaps when compared with the current financial and market issues facing many businesses.

Equally the implications for poor data security practices and the potential threat this poses to business is not well understood. As business moves into further reliance on data centric services vendors may see more reactionary responses to crisis rather than a proactive understanding from businesses.

Network World reports on the third security related purchase by CA in recent times. Their new acquisition is the data leak prevention vendor Orchestria. Orchestria provide a number of DLP and information compliance products. Symantec also use Orchestria’s smart tagging technology for use in their Enterprise Voltage product.

CA is said to be working on solutions to administer access control and set security policies based on a users role and identity. Adding Orchestria’s technology and experience to the company will strengthen their DLP offering and compliment their existing product range.

It is clear from meeting customers that the technology fix continues with security - the belief that a product will solve all the security problems in an organisation. This misguided expectation is exploited by vendors who sell every flavour and permutation for each identified security flaw. This results in customers wasting a lot of money on shelfware (software that is never installed and sits on the shelf) or problems trying to effectively deploy the product with no clear idea of configuration or threat.

However, simple consideration before buying a product fix could be to consider what are the security policies that an organisation shouid reasonably implement which would then save time and money. With protection of information, it is vital to define the policies that are reasonable and actionable to do the job. Once the policies have been set, agreed and communicated then the tool can be matched to the policy.

So many clients buy a product that they cannot effectively use as there are no existing policies defining what the product should do. It takes time to get the product reflecting the policies. From experience, one should start with strategic policies that, at a high level, define the overarching rules of the organisation. These can then be broken down into tactical policies. From the tactical policies, the standard operating procedures can be defined and written.

In summary, product purchase is used as an excuse for ‘ doing something’ wiht security but with no organisational framework defining its use.