It has nothing to do with the size of your inbox or shared drive or whether your competitive edge stems from a specific design blueprint or a secret ingredient. It could be that you have and need to keep reams and reams of customer information or maybe you simply have unique insight into a few key clients. It all amounts to information that defines your business. And it’s clear that companies value it – we know this from the results of Symantec’s recent State of Information survey that shows companies are spending a total of £714 billion[i] a year on storage infrastructure, security, compliance and access[ii].
In fact, the survey revealed that digital information makes up 49 percent of an organisation’s total value so the loss of information is actually worth a lot more to a business – actually it would not be an exaggeration to say that you can’t really put a price on it. It is after all what keeps you in business. One IT manager at a large engineering firm said when asked about the consequences of losing the enterprise’s information: “We would have to fold our operations for at least a couple of years before we’d come back again.”
On average, the survey shows that enterprises spend £25 million on information, while SMEs spend £215,000. However, the cost per employee for SMEs is a lot higher at £2,383, versus £2,140 for enterprise. For example, a typical 50 employee small business spends £119,155 on information management, whereas a typical large enterprise with 2,500 employees would spend £5.3 million.
It’s clear the consequences of losing business information would be disastrous. Respondents in the UK highlighted the impact of data loss to their business including lost customers (48 percent), damage to reputation and brand (36 percent), increased expenses (36 percent) and decreased revenue (35 percent).
When you look at it like this, it’s money well spent.
- Storage infrastructure £201 billion*
- Security £210 billion*
- Compliance £192 billion*
- Access £76 billion*
*rounded to nearest billion, converted from US dollars using the current rate of 1.54.
OK, so we were digital long before 2002, but it was then that the amount of data stored digitally overtook that which was stored in an analog manner. A recent analysis of ‘all’ storage also showed that we now have enough capacity for 295 exabytes of information… which is about 404 billion CDs.
Of course how much if it is actually used is not presented – and neither is how much of it is repeated, i.e. the amount of unique data is probably just a fraction of that. Finding things you know exist becomes harder each day, and a good friend Adrian Seccombe has written a short post on just this problem… losing things in your digital pocket. For enterprises this particular problem is worse, with thousands of hours of productivity lost each year due to people looking for data they know exist but can’t find – and then trying to reproduce it.
Archiving with full-text indexing is one option – but that is often catching less and less information as more ‘digital pockets’ are used. Furthermore, the loss of an unsecured ‘pocket’ could now result in a £500K fine from the Information Commissioner’s Office (ICO). Data growth is inevitable, but as the legislation evolves to encompass new working practices (the cloud, consumerization of IT, social networking sites, …) so too will the risks. As ever, it is time to revisit policies around security and data management and check that they have moved with the times… and if not, make the change before they become a liability.
At a time when many organizations are being bombarded on every side, they sometimes forget about the inside. Because so much has been said about the dangers imposed by malicious outsiders and insiders intent on wreaking havoc and reaping money, the non-malicious insider threat remains somewhat unspoken.
I recently wrote a whitepaper outlining the threat posed by well-meaning insiders. See it here.
The well-meaning insider represents a weak link in the security posture of many organizations and few seem to realize the critical role they play in keeping information safe. A survey of office employees in North America and Europe, for example, found that 78 percent think that their IT department solely holds the responsibility for information confidentiality. To be able to fully protect against threats resulting from such misconceptions, companies must identify who constitutes a risk, as well as why and how they might be a threat. Not all insider risk profiles constitute the same type of threat, so security has to be tailored to their particular characteristics.
Well-meaning insiders fall in to the following categories:
- The underminers take the path of least resistance and ignore the spirit of security to make their working lives easier. Creating easy passwords is an example of this. Sharing passwords is another common problem.
- The overly-ambitious employees knowingly take risks to purposefully bypass bureaucratic security processes in order to be more effective in achieving what they think are organizational goals. Encryption, for example, might be overlooked because the employee thinks it’s too cumbersome.
- The socially engineered are those employees, usually in low paid positions at the public facing end of the organization, who are prone to being duped by malicious outsiders into sharing sensitive information or even giving out access codes to systems.
- The data-leakers are the growing cadre of ‘whistleblowers’ who, for various ethical or unethical reasons, leak to the public via social network technology, such as wiki-leaks, information they feel that the public should be informed about.
- The data spillers are employees who have legitimate access to information or databases, but are prone to spill data because of (sometimes routine) organizational practices not checked by lax IT policies. Data spillers may:
- Accidentallydiscloseinformation by losing a laptop or smartphone, else a CD-Rom or USB drive. While such incidents (often unreported) represent a statistical outlier, they do garner much attention—both from other organizations and media outlets.
- Take data out of the secure environment to use out of the office and not deleting it.
- Leave data on discarded computers.
- Not carefully manage data shared with third parties.
- Send unsecured data through public delivery systems.
- Not review and update access inventories or email distribution lists
Resolving these problems can happen through increased IT intervention and employee education. In both cases, the goal is to preserve both human and technological resources. For instance, demonizing these insiders and treating them as willfully malicious will not improve situations. It will either cause a loss of talent or a loss of good relations. Training and educating as well as establishing a culture of security through improved and automated IT will reduce risk and maintain effectiveness.
The well-meaning insider is a different type of problem to the malicious outsider. Both can result in data loss and information breaches, but the motivations and relationships to the company vary widely. Because the industry has focused on outsider threats, many companies are unprepared and even unaware of who may be causing the loss of sensitive information. This issue can be addressed. To get more information on the who, how and why of the well-meaning insider – along with recommendations on how to deal with them effectively – read the whitepaper, Organization Security and the Insider Threat: Malicious, Negligent and Well-Meaning Insiders.
About the Author
David S. Wall (BA, MA, M Phil, PhD, FRSA, AcSS) is Professor of Criminology at Durham University where he conducts research and teaches in the fields of cybercrime, policing and intellectual property crime. He has published a wide range of articles and books on these subjects which include amongst others: Cybercrime: the Transformation of Crime in the Information Age (Polity, 2007).
There have been a couple of stories in the news recently about cached credentials. In essence, you enter your username and password and it enables you to, in this case, easily buy things from the online shop. Making it easier to use compromises the security and here meant that someone else could readily buy stuff when they shouldn’t have been able to.
Move to the business environment… what sort of compromises do you make with your security in the name of user convenience? When it comes to enterprise applications, especially those on mobile devices and / or accessed through a web browser, what is your policy on cookies and caching? If someone were to pick up your mobile phone, or iPad how easy would it be to get access to your data?
Now is the time to revise security policies and usage polices, especially where the IT equipment is used by the employee. Ensure passwords are required when the devices are switched on, have auto-lock policies after a short period of time (5-10 minutes should be ample) and review cookie credential caching for enterprise apps.
In a recent announcement by SAP, they say that they will ‘push all useful data to mobile devices’. Good news… but not entirely unexpected, the smart-phone of today is just as powerful as the laptop of yesteryear and much easier to carry. However, security and usage policies are sorely lacking in enterprises of all sizes.
I wrote previously on keeping up with the user and what they install on their smart-phones, this just emphasises the point further. If all data is available, even that from the heart of the data-centre, then the security should be as strong as that you usually have for the data-centre… policies for appropriate usage, data-loss-prevention and anti-malware to name a few. Remote device management including data wipe should be considered, and even encryption for the device and any removable media (aka memory cards).
The data-centre has arrived in your pocket… but does the CIO/CISO realise it… and if they do, have they done anything to protect it… yet?
With the news that a couple of Android apps have been pulled as they misrepresented their purpose (they were used as research – duping users into downloading and installing them – to see if people would), it raises an(other) interesting question for IT departments around applications, mobile devices and keeping up with the user.
While companies have been getting stricter at what can and cannot be installed on corporate laptops, the same is not true of smartphones. There are now tens of thousands of apps for phones like the iPhone and Android, and while they do have to go through an approval purpose, it won’t be your corporate one.
I have recently been involved in writing security policies for a number of companies and it becomes very apparent as to the need for up-to-date polices coupled with a suitable education programme. Technology is moving rapidly and care needs to be taken to protect corporate data wherever it is and however it is accessed. Updates to policies are worthless if they are not effectively communicated – this is a case in point – updating the policy on downloading apps won’t stop people from doing it if they don’t know about it. If you have technology to prevent inappropriate apps from being installed on smartphones, great – if not, then you need to remind staff of some of the dangers of just downloading and installing apps from the web.
Cyber criminals go after the low hanging fruit and the smartphone is just that – a simple way into a person’s life and potentially the corporate network.
We have been talking about Information Security for a few years now, but with the changes in legislation earlier this year that means you can incur £500K fines, it’s time to look beyond the reactive and towards the proactive. Time to move from Information Security to Information Assurance.
So why Information Assurance rather than just Information Security? Businesses rely on information, and most realise that accurate, available and appropriately shared information is key to growing a business. Conversely, missing or inaccurate information in the wrong hands will damage the business and potentially the business’ reputation.
From a security aspect, it is only the security of the information and systems that is taken into account. Data loss prevention and all the, now commonplace measures to prevent it, coupled with endpoint and datacentre security strategies enable companies to ‘tick the box’. Reporting and auditing are key for this to be provable so that information is kept safe and the newspapers and legislators held at bay. Assurance is all this – and more! Information assurance is about assessing the business’ ability to keep the information safe and that it is accurate and available - to the right people at the right time. It’s about developing a shared understanding across all areas of the business as to how information is used, and its about improving the information available according to business priorities.
As we start to move out of recession, but while the purse strings are still being tightly held it is time to revisit information strategies and look at how information can be used more effectively to drive the business. New rapid assessment services are starting to appear which can build on your information security policies and turn them into information assurance ones.
We conducted a survey in the US on how many people take data with them when they leave the company… and the answer is 79%. While it is tough to take someone’s memory it’s not so hard to ensure that they are not walking out the door with obvious copies. 82% said that they were not checked when leaving… and a frightening 24% still had access to computer systems even after they had left – with 20% still having access more than a week later.
The other statistic that intrigued me was that of those people who took information, 67% said they used it to get a new job and 68% said they were going to use it in their new position.
It always used to be that executives left with their laptops and companies were not overly worried about some of their proprietary information walking out the door with ex-employees. However, in the current climate, it would no doubt pay dividends to initiate a more formal process to ensure that when an employee leaves, it doesn’t increase the risk of a data leak.
(And on the other side of the coin… it also might pay dividends to the new employer to ensure that inapproprite competitor information information isn’t arriving on their network with a new starter… as the fines for that have been rather large in the past!)
Another second-hand data scandal has hit the news, this time it is an MP3 player full of details of US soldiers. The device was bought from a secondhand shop and as it didn’t work the buyer took a closer look and found the data. While the data is relatively old (2005), some of the phone numbers still worked… and this is the problem with personal data – it doesn’t age at the same rate as the systems it is on. I spoke at a conference last week and one of my standard questions to ask is how many people have changed addresses in the last 5 years – to which there was quite a few, and then to ask how many have changed bank details in the past 5 years – and there wasn’t anyone who had. So if your details are compromised today, the chances are they will still be valid in a number of years time.
MP3 players are a very convenient way to transfer large quantities of data, but if this is the case then they need the data to be disposed of in the same way as you would a PC – and this doesn’t mean just throwing them away. Standard ‘delete’ won’t cut it – it needs to be securely erased (including being overwritten a number of times – this is not completely foolproof, but is adequate for most data), degaussed or physically destroyed.
So, security spending is up in response to cybercrime - even in this time of economic downturn. However, it still needs to be targeted. Lost laptops, one of the most common causes can be readily protected using full disk encryption – but that won’t prevent people sending email to the wrong person. A great deal of spending (in IT in general) is done in a knee-jerk reaction to an event. Careful planning and an understanding of the risks and the consequences can focus the budget.
However unless your staff are right behind you – it will be wasted as they will work around any newly imposed security measures. So, first stop should be to create a security awareness and education program – let them know the risks and consequences – ask them what they would do. You might find that some subtle changes in processes will result in a more secure information environment with little to no outlay at all. Of course there will still need to be some outlay – however a holistic view of the problem from all areas will give the best ‘bang for the buck’.