Data loss is more than just encryption

Matthew Brown, Workshare

Matthew Brown A series of high-profile data breaches have catapulted encryption technology into the media spotlight. But information loss prevention requires more than just encryption argues Matthew Brown.

The recent spate of major data leakages has put information protection at the forefront of the national agenda. When HMRC lost two computer disks containing the bank details of over 25 million people, the government disclosed that the disks were password-protected but not encrypted - a simple solution that could have averted this data leakage. At the time, the Financial Secretary to the Treasury said that the breach was the 'most serious incident in the department's history and damaged HMRC's reputation for handling our customers' data'.

The incident sparked a ripple effect with businesses across the country looking at encryption technology to protect against data loss. According to statistics from analyst house Forrester, a staggering 46 per cent of 1,000 IT decision-makers surveyed in 2007 expressed interest or planned to adopt the technology in the next 12 months. This is true for both the private and public sectors, with Whitehall and commercial businesses, such as Marks & Spencer, taking steps to ban unencrypted mobile devices from leaving their offices.

However, few organisations consider the root of the problem. Without understanding how employees with different roles use information, encryption will only help to solve one part of the puzzle. Its imperative for organisations concerned about data leakage to also consider content protection and device control as well as encryption technologies if they want their sensitive data to be completely secure.

Assessing the risk

While the damage to reputation resulting from a data breaches can be difficult to quantify, all organisations should now be aware of the potential costs that can be incurred for failing to protect confidential data. A case in point is TJX, the US discount retailer of apparel and home fashions, including TJMaxx, Marshalls, Winners and TKMaxx. Following an incident that exposed customer credit card details, the company has been ordered to pay MasterCard a settlement of £12 million.

Pinpointing the risks associated with the data held by an organisation is an important first step for any company to take. This may seem like a laborious and costly task but those companies that take time to conduct a detailed risk assessment will be in a strong position to address their vulnerabilities and implement solutions that strike a balance between security and business productivity. A detailed audit forces an organisation to adopt an enterprise-wide data security strategy and prevents the shortsighted approach of simply securing specific devices, such as laptops and PDAs.

Although protecting these devices is necessary, it is important to remember that the data contained at any endpoint beyond the network needs protecting as well and that this information may exist elsewhere within the organisation, or even external to the company.

The need for intelligent technologies

If organisations are to address the threat of data leakage effectively and avoid significant costs, such as those incurred by TJX, enterprises need to continually assess their security situation, educate employees about data security and invest in intelligent encryption solutions. It is imperative that any data leak prevention programme incorporates intelligent technologies that also integrate with existing encryption systems and the organisation's core infrastructure. Today's increasingly mobile workforce makes this education essential but also raises the importance of encrypting sensitive information as well as devices.

After enduring a series of embarrassing laptop thefts, the government decided to ban unencrypted laptops from leaving Whitehall offices. This is a positive move designed to restore public faith in the government's ability to keep personal data confidential, but one that is not enough on its own. Additional measures, such as intelligent file encryption that assesses the nature of the data transferred to a mobile device or sent via email, is also required if data is to remain confidential.  

These solutions should protect not just the data stored on corporate devices but also the information on employees' personal devices, such as USB pens and iPods, that can be used to download information from the corporate network. Encryption of all files that can be downloaded may seem an obvious solution but this is often unworkable as it increases the size of files. Instead, organisations should seek to deploy intelligent software that recognises and accommodates different types of files. These solutions can integrate seamlessly with Microsoft Office and permit remediation by the user to help employees to take appropriate steps to decrease the risk of their actions.

Thinking beyond full disk encryption

Although full disk encryption is often considered the Holy Grail of data security, this is not strictly true since it fails to address the threat from insiders. Forrester reports that at least 80 per cent of data leakage is the result of company insiders unaware of the risks and dangers associated with their actions. If a sales manager leaves their laptop with the IT department for repair, sensitive information, such as sales forecasts, could be accessed by someone who does not possess the relevant level of authority. What is required, therefore, is a data security solution with the ability to protect an individual user's data. This level of encryption ensures the safety of confidential data without interfering with operational processes, such as software upgrades. 

If organisations are to tackle this issue, time must be spent educating staff about security threats and risks associated with actions, such as downloading corporate information to mobile devices. Organisations that take these steps are more likely to achieve 'buy-in' from those that have the potential to cause most damage when it comes to data security.

Some companies remain wary about placing too much control on data and fear a lack of flexibility. This is a legitimate concern, but can be addressed easily with an approach that strikes a balance between security, usability and risk.

Encryption, once considered a backroom technology, has quickly become a mainstream buzzword for organisations of all sizes, both private and public sector. But encryption alone is not enough. It is clear that companies wanting to protect themselves from data breaches effectively require content protection and device control measures as well as intelligent encryption, and need to ensure technologies integrate well with existing systems. Despite concerns about the lack of flexibility and control, these barriers can be easily addressed through well-planned deployment and employee education based on a comprehensive audit. Data loss prevention technologies are now essential in helping organisations to protect sensitive information - an investment well worth the return when the real cost of a data breach is considered.

Matthew Brown is vice president for products at Workshare.