Portable Data Security : Ebb And Flow

Posted on 03. Feb, 2010 by Katonda News Network

Ten years ago the dawn of a new decade brought with it a trickle of employees requiring the ability to access information while away from the office.

Organisations dipping their toe in these waters did so primarily by utilising dial up methods. Today we’re no longer concerned with how to make it possible as the consumerization of IT has empowered everyone with the ability to stay in touch, via a deluge of devices, when out and about. The focus instead is how best to exploit the desire and trend for flexible working practices and utilise an increasingly mobile workforce, securely.

The 2010 Landscape
2010 experienced a slower return to business than usual following the festive period due to the extreme weather conditions across England. The snow’s imminent arrival was much publicised and, although some local councils failed in their efforts to keep the roads clear and the transport network flowing, many employees did plan ahead for snowy days and took work home with them. Although not physically at their workstations, many more accessed the corporate infrastructure using mobile devices, such as netbooks and Blackberry’s - the executive must have gadget with their ability to receive and read emails and open attachments, to keep the corporate wheel turning, albeit slightly slower than usual.

According to a report in The Times, Business groups warned that the cost of absenteeism to the economy due to the January snowfalls could reach £2 billion but that could just be the tip of the iceberg if the sensitive data that was accessed during the big freeze floods out into the public domain.

Hostile Conditions Ahead
In January, the Information Commissioner’s Office (ICO) revealed it was to be granted new powers, which has been approved by the Secretary of State for Justice, and laid before Parliament. From the start of the new tax year (April 6), the ICO can order organisations to pay £500K as a penalty for serious breaches of the Data Protection Act - a framework of rights and duties which are designed to safeguard personal data. For a data breach to attract a monetary penalty the Information Commissioner must be satisfied that there has been a serious breach that was likely to cause damage or distress that was either deliberate or negligent and the organisation failed to take reasonable steps to prevent it.
 
Stem The Tide
With mobile devices considered manna from heaven to workers seeking flexibility, they have become a plague for the information security professionals trying to secure them. Small USB memory sticks are easily available, often without any security features, which users can use to carry and transfer massive amounts of data. Worms and other malware are being discovered that target iPhones - one example is a worm that targets iPhones to steal banking data and enlists the device in a botnet, although at the moment this is thought to be limited to the Dutch online bank ING. However, the major cause of data breaches is theft of mobile devices, especially laptops with tens of thousands stolen every year often containing sensitive data that require public disclosure as a data breach.

With data protection high on the corporate agenda, and the workforce literally taking matters into their own hands and utilising personal devices to facilitate the need for portable access to information, organisations need to recognise this drip of corporate records before the flow of sensitive data breaks free and pours out into the public domain.

The way workforces function is changing and, arguably, it is in the organisations favour to embrace an employee’s enthusiasm to spend their own time completing tasks at home – especially when snowed in, or even unwell in bed, and physical presence in the office isn’t feasible. The hard bit is to do so securely.

Someone who wants to transfer data from the safe confines of the corporate environment will do so, with or without your blessing – they’ve got a tool to utilise in a pocket and they’re willing to use it. Organisations need to recognise this fact and counteract it.

The first step is to educate the workforce on the risks this practice exposes the organisation to and then facilitate the process to allow them to do so securely.

There’s No Such Word As Can’t
Just as there are a multitude of devices designed to carry data, so is there assorted technology to secure it. The challenge is to pick one that provides the right level of protection for you’re data balanced with ease of use for your employees – if it’s inadequate then why waste your money, too complicated and it’ll be circumnavigated. By providing the workforce with a tool to carry data in the first instance, the employee has no reason to use their own inadequately protected device, thus allowing the organisation choice of how the data is secured.

The ICO recommends that portable and mobile devices used to store and transmit personal information should be protected using approved encryption methods which are designed to guard against the compromise of information. The belief in this technology is so strong that, where data breaches occur and encryption has not been used to protect the data, it publicly states enforcement action will be pursued1.

By employing an encrypted solution that is capable of locking down all your valuable data if the worst happens, and your mobile device is stolen or goes missing, you have no need to worry as you’re still watertight.

Organisations can now sign the Personal Information Promise to demonstrate their commitment to protecting people’s personal information by visiting the website at www.ico.gov.uk

-- By Andy Cordial, Managing Director, Origin Storage

Origin Storage will be exhibiting its encrypted notebook solutions at InfoSecurity Europe on 27th -29th of April (stand D50) and would welcome the opportunity to share further details with you.