Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Sacha Chahrvin, DeviceLock UK: The Insider Threat

September 2008 by Sacha Chahrvin, Managing Director, DeviceLock UK

The demands of the modern workforce are changing rapidly. It’s now a mobile business world and we expect to conduct our work whenever we want, wherever we want. Laptops now outsell desktops, wireless is outpacing wired and your average smartphone can do almost anything – even if you only use it to make calls and as an occasional alarm clock on a business trip.

Not so long ago - when businesses were solely run out of an office - it was easy for employers to keep track of their staff and know that everything from the stationary to their confidential information was kept under one roof.

Nowadays, staff can work wirelessly and remotely, and as business becomes more global we have to adapt to the fact that employees expect to work with a myriad of different appliances and gadgets – many of which are capable of storing anything from customer databases to family albums.

The trouble with all this mobility is that it’s not secure, data seems to fly through the air between devices – it’s no longer tangible. Because of the demands of modern working practice, it is becoming increasingly difficult for IT managers to adequately protect company information. The standard anti-virus and network access control is not enough nowadays. Mobility, in all its weird and wonderful forms, jeopardises business security - and it’s a growing problem.

Recent research has revealed that UK companies trail behind those in Germany and the US in the implementation of policies to prevent data leakage. It also showed that UK end users are less likely to know what type of information is confidential and rarely receive training on data policies.

There is a growing concern that IT networks are becoming too vulnerable to threat from the very thing that they are trying to incorporate – the remote device. The proliferation of iPods, smartphones, PDAs and USB sticks mean that most employees now have personal devices that can store huge amounts of data.

These devices are virtually impossible to trace and can be connected to a laptop or PC with ease. Incidents of employee data theft is constantly growing: 1.6 million personal details were stolen from Monster.com, 800,000 were stolen from GAP and the UK Government saw a whopping 15 million individual records stolen in 2007 . From these figures it’s clear that this type of threat does not focus on any specific industry, it can happen to any organisation at any point.

And it’s not just your standard Blackberry or USB stick that pose a risk. Over 26,000 different USB products currently exist - from coffee warmers to network adaptors. And these devices are to become more sophisticated and more readily available – there are already 10GB appliance available in the shops for under £30.

A survey of more than 1,000 UK workers found that 60 per cent admitted to theft of confidential documents, customer databases, business contacts or sales leads. Sixty-three per cent said there were no restrictions on using personal portable devices such as USB memory sticks in the workplace . So how do IT managers start to manage the security threats that are raised from these devices?

Vulnerability assessment

It is important to assess where the business is vulnerable. For some companies it is often a certain group of employees that use mobile devices on a regular basis, such as a sales team. Pinpointing areas in the business such as this, where there is a much greater chance of hardware being lost or stolen for example, means that you can focus your plan of action accordingly.

Policy

The UK government has recently been roundly criticised over its handling of sensitive data following a new report by the Joint Committee on Humans Rights. Its recent incidents of data loss were considered to be "symptomatic of lax standards."

Many of the other large companies that appear in the news who have experienced an incident of data leakage have undoubtedly already got a data security policy in place, just like the government. But the fact is that a policy document buried in the hard drive and a few well-placed posters lecturing on the ‘enemy within’ are fairly pointless. Data loss is either on purpose or by accident, so there needs to be a concerted effort, through training and seminars, to convey the importance of data protection and the legal implications of data theft.

Reduce and limit access to data

Restricting who can access what information can help to control the movement of important data. The easier data is to copy, the harder it is to control so, making sure that the right levels of access are being granted to the right people is important. Encrypting data on mobile devices is also a useful measure.

Controlling Data

In the US, many companies do not allow staff to enter the workplace with personal devices that have storage capacity. This is becoming an increasingly common way for businesses to be proactive in stopping employees from being tempted to copy data onto their MP3 player or mobile phone. But it is not failsafe. Investment in technical controls in order to monitor and prevent data being copied and printed without a trace should be the key ingredient of the strategy in managing the threat of data loss.

Endpoint data security enables businesses to allow staff to carry sensitive data in laptops and USB sticks without making data access inflexible and protracted. And this is the balance that IT departments are looking for. The workforce demands easily accessible data at the touch of a button, and the IT department would ideally like sensitive data to be totally secure - which would be impractical for modern working. Additional password authentication will help control who accesses certain systems, and endpoint security software can secure the company’s hardware from theft, or malicious attack through a USB port.

The mobile devices that have become so integral to our personal and business lives are a reaction to the fact that our personal and working lives have become so much more mobile over recent generations. Just as manufacturers have adapted to this shift with devices and gadgets that help us run our busy lives it is important that we adapt to protect the information that we now carry around with us.

It is not necessarily a struggle for IT security to keep up with all these gadgets and devices, but it is a struggle for them to keep up with how we choose to use those items. Educating employees to try and alter their habits is vital as long as it coincides with the implementation of user friendly security measures such as endpoint security, two-factor password authentication or even James Bond style tracking technology for the most forgetful!


See previous articles

    

See next articles












Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts