Subscribe to BCA Journal Know More

May 2008

Security alert

By Uday Chitale, Murtuza Vajihi
Chartered Accountants
Reading Time 7 mins

Accountant AbroadLately there
have been quite a few reported cases of lost customer data both in the
government or public sector domain as well as in private corporate sector. This
is forcing information security up the corporate agenda.

It seems as though with every new day comes a fresh
revelation of an organisation that has lost some customer data. First there was
the loss by Revenue & Customs Department of two discs containing details of 25
million child benefit recipients. Then the Ministry of Defence admitted that
details of 600,000 applicants to the armed forces were stolen from a laptop in
the boot of a naval officer’s car. Those were just the two largest such
revelations in the UK. There have been many others, such as the loss by the
vehicle registrar in Northern Ireland of the personal details of more than 6,000
car owners.

It is not only government bodies that are failing to protect
customer data. Private businesses are also struggling. To give just two examples
in insurance industry, Norwich Union has lost £3m of customer money through
identity fraud, and Nationwide lost a laptop containing 11m customers’ details.
There are signs that cases such as these are finally driving the issue of data
security up the corporate agenda, forcing senior executives to consider the many
ways in which sensitive data can go astray.

Perhaps the most obvious way to lose data is through the
physical loss of a storage device such as a laptop, a disc or an external hard
drive. According to recent research, business travellers in the UK lose a
staggering 8,500 laptops and other mobile devices in UK airports every year.
Stockport Primary Care Trust recently revealed that it lost the personal medical
records of 4,000 NHS patients on a USB stick.

Helen Hart, a senior associate at law firm Stevens & Bolton
LLP, says : “Data should only be able to be copied over to portable storage
devices with the consent of the company and with such data being passworded. As
passwords can be cracked quite easily by experienced hackers, data should be
encrypted if possible. Organisations that already encrypt information should use
the most up-to-date technology as older methods are easier to hack.”

According to Jim Fulton, vice-president of marketing at
Digital Persona, more and more companies are beginning to use fingerprint
biometric technology. He says : ‘The technology has evolved and is now more
reliable and durable, as well as more affordable and practical. Fingerprint
readers are being embedded into an increasing number of mobile devices like
phones, PDAs, laptops and even USB memory sticks.’

However, for most data it is not necessary to go this far.
Secure encryption is by and large very simple and affordable. In fact, as Jim
Selby, European product manager for Kingston Technology, points out : “The most
shocking aspect of the loss of 25m records by the Revenue, the data on the two
discs could easily have been stored on an inexpensive and easy to use encrypted
two gigabyte USB drive costing just about £ 65.”

Last year, US clothing retailer TJX, had 45m records stolen
in what is perhaps the largest corporate data theft on record. The thieves
managed this by simply parking outside one of the company’s shops and accessing
its wireless Internet system. As Mario Zini, business development director at
Claranet, says : ‘Companies are making ever greater use of the Internet, and
this is exposing their data to ever greater risk.’

Most corporates are now well used to fending off hackers.
Patrick Walsh, director of product management and marketing for eSoft, outlines
the extent of the attacks : “If you put a computer on the public Internet, it
will be scanned by hackers within minutes. If a service such as a Secure Shell
server is publicly available, it is likely to be a matter of minutes before
hackers attempt common username and password combinations at fast rates. An
unpatched Windows machine on the public Internet without a firewall will be
compromised in under 10 minutes.”

He goes on to outline the following steps that companies can
take to protect their systems : “Antivirus scanning must happen for all files
that come into an organisation, not just those that arrive as email attachments.
Websites known to host phishing attacks, malware, and exploits should be
blocked. This list must be updated in real time. Peer-to-peer and instant
messaging applications should be strictly controlled. Email with phishing
attacks should be blocked before it reaches the end user. All confidential data
between home offices, branch offices, and headquarters should be encrypted and
sent over a virtual private network.”

While those technical enhancements will go a long way towards
protecting a company’s customer data, on their own they are not sufficient.
Martha Bennett, research director at Datamonitor, says : “Information security
is much like physical security. Whatever sophisticated alarm systems a home
owner puts in place, burglars will always find a way in if they try hard
enough.” Any business that wants to protect its customer data needs to go beyond
a purely technical solution to implement proper processes and training.

David Cole, security consultant at risk management
specialists DNV IT Global Services, says : “One of the main areas where
organisations fall down in securing information is lack of employee training.
Many have focussed on installing the latest technology to protect their data
while not addressing the weakest link in any organisation — employees
themselves. Good training can bring the threat of data theft alive for
employees, to help them understand and advocate information security policy.”

Providing  this  training  is far  from  simple.  The threats  change  on an almost  daily basis, and few people are sufficiently enthused  by data security to maintain   a focus  on  it.  Joe  Fantuzi,   CEO  of Workshare, describes how one of his products  can help:  “The  key is continual  reinforcement.   Our Workshare Protect scans all documents  leaving the system  to check for any sensitive  data,  and  then asks the user if he or she actually wants  to send it out. Google recently sent out a Power Point presention that  contained  confidential  information  on projected financials in the speaker notes. If they’d used our system they would probably have been spared this embarrassment.”

Clearly, there is much to be done. William McKinney, marketing director of Sterling Commerce, stresses the importance of building a strategy. “Companies tend to be reactive,” he says “Don’t just leap on the latest threat in the media. – Take time to look at your business and work out where the threats lie. Where are your points of weakness? Which is the most sensitive data ?”

Devising and implementing this strategy is a long-term project that will require most businesses to invest significant quantities of time and money. However, a growing number of businesses are sufficiently concerned by the threats of not only fines from regulators, but also negative media coverage that they are starting to act. It is not before time.

Better  data  security  in seven  steps:

    1. Classify your data according to its sensitivity and confidentiality to ensure that the security measures are appropriate to the risk.

    2. Perform a formal risk assessment to identify security vulnerabilities and to ensure appropriate risk mitigation.

    3. Embed formal accountability for data security in job descriptions.

    4. Employ appropriate tools such as encryption and biometrics where sensitivity or confidentiality is a key issue.

    5. Ensure the corporate audit committee has information security as a key item on its agenda.

    6. Encourage the board to recognise its final accountability for security. It needs to ask the right questions and allocate appropriate resources.

    7. Provide all staff with repeated education and reminders about their responsibility for security.


You May Also Like