KPMG’s Mark Waghorne looks at ways to prevent crooks from getting at data even if they make off with laptops, tablets and smartphones
Theft of information is big business. Where people are carrying printed information, if it is stolen then it must be considered compromised. When information is stored and carried digitally then its theft or loss does not automatically mean it is compromised. At least, not if it has been protected properly.
As a result, the general theme in organisations should be: the more we enable our people to make use of the information they need in digital format the better because we can develop and implement strategies to protect that information. Once printed copy is left in a public place, it is irrecoverable.
Keeping data safe from the thieves
Taking laptops, a major target for thieves, as an easy example. Very often the motive for the theft is a straightforward “quick-cash-return” on the sale of the hardware – akin to stealing car audio systems and mobile phones. The thieves in many instances aren’t interested in the information. This is quite possibly the case even when the theft is planned by, for example, targeting bars in areas where there are large numbers of knowledge workers.
So, if we end up with a laptop that has been lost or stolen, should we be worried? For well prepared organisations, with information protection programmes in place, then the answer is maybe not. It may be an irritant to lose the machine but laptop encryption should be seen as standard practice and if implemented well, then the information should be quite well protected.
Protection of laptops in this way has been basic practice in many organisations for a long while – especially in heavily regulated industries such as financial services where it is mandatory. Similarly, data protection authorities in many countries, including the UK’s Information Commissioner‘s Office, will require encryption for the protection of personal information.
Many organisations which understand the value of their information will extend this type of protection through, for example, preventing the use of USB storage devices or implementing tools that mean only certain types of data can be written, or ensuring that only devices with encryption are able to be used. Data loss prevention (DLP) tools that provide this type of functionality have been around for a number of years and are now quite mature. Organisational procedures and processes however often lag behind. Policies may exist that set out the rules that should be followed to classify data (and thereby drive how it is protected) but they are often poorly understood – if even known by – the user population.
Going down a virtual route
What else might our digital information strategies be able to do to help us with the protection of one of our most valuable assets? When we are targeted by such a wide group of threats that range from disgruntled employees, activists, organised criminals to state sponsored commercial espionage, then this question should be front of mind for CIOs and the people tasked with the protection of the organisation’s information. Part of the answer might take us ‘back to the future’.
We have become used to laptops and other mobile computing devices that have significant processing power and very large storage capacity. Increasingly these are personally owned rather than provided by the corporation. We have already talked about encryption but what about other security approaches? One answer is maybe, “no data on the device”, the scenario where all we used to have was a terminal on the desk that accessed data remotely. Those terminals, however, were ‘dumb’ and that is not relevant for future practices.
The future, and indeed the ‘now’ for an increasingly large number of organisations, is harnessing the processing power of the mobile device to access and make use of information stored remotely. However, the virtualisation technologies used mean that the data is not persistent on the device. Citrix and similar have done this for us for quite a long while and these types of strategy are excellent when we are online as we can get at the data and use it. When we are offline though, if we wish to work then the data needs to be locally stored and its security is then key.
However, the recent surge in the development of portable computing devices means that organisations need to adapt their policies to cover the large number of devices available and widely used. With these, especially in the ‘bring your own device’ scenario, the number one challenge at the moment is being able to strike a balance between usability and security. Much functionality is currently restricted to email and calendar usage, thereby reducing the value of what is otherwise a reasonably powerful device. Users want to be able to access and annotate attachments, but this functionality is often not available. Concerns about securely storing data locally mean that the device may again be of limited use when not online.
How the issue of local data storage will be addressed remains ongoing with developments in the areas of containerisation, virtualisation, mobile device management and dual persona based solutions. Information security, their IT colleagues and solutions providers have a way to go before the tools are available to provide this security/usability balance. For many organisations, their current security solutions are a collection of components. While they are comfortable that the controls themselves ‘make sense’, the implementations are not viewed as long term. Well integrated and engineered solutions are perhaps eighteen months to three years away.
While the future for better security may not be, “Let’s go back to being dumb”, organisations do have many of the tools that can make digital information secure information. They need the vision and strategy to identify what information is important to them – and important to their adversaries – and then put in place the right protection solutions. This means that ‘the business’ must work in a cross-functional way with IT, the information security people and departments such as legal and risk to cover all bases throughout the information lifecycle, from creation or receipt, through processing, transmission and storage, to archive and ultimately destruction.
Mark Waghorne runs the I-4 information security group at KPMG.
What do you know about Internet security? Find out with our quiz!