Barely a week goes by without another news headline exposing a government
department or a corporation on the loss of personal details of UK citizens.
One major contributing factor to the rise of security breaches is the sheer
amount of data that companies have today and the rules governing the storage of
that data, said David Galton-Fenzi, group sales director at distributor
Zycko.
“More and more organisations are storing information about their business and
customers in electronic format, and are keeping this information for longer
periods of time than they have done previously,” he said.
“This is often mandated by the different legislations that govern the sector in
which their business falls, such as Hippa for Healthcare (which must retain
information for the life of the patient, plus two years), FSA and Basel II for
finance (a total of seven years), the Sarbanes Oxley Act, PCI for the payment
card industry, the Freedom of Information Act and the Data Protection Act, to
name but a few,” he said.
“Currently, breaching one of these legislations would result in a financial
penalty for businesses, but not in a custodial sentence.”
Data breaches have been happening for years, a fact backed by the Information
Security Forum (ISF).
Andy Jones, senior research consultant at the
ISF,
said: “While there are some new factors and challenges, it is really just a new
name for an old problem.
For large organisations, a certain level of information leakage may be
inevitable through unintentional actions rather than malicious intent. It is
important to focus resources on identifying and protecting high-value data and
increasing awareness of the risks.”
But the issues really started coming to the wider public’s attention via the
mainstream press with the TK Maxx fiasco last year, when hackers managed to
steal millions of shoppers’ bank details from the firm’s computer system.
Lack of care
But it is the apparent lack of care, highlighted by recent incidents, that is of
concern. For example, the HM Revenue and Customs (HMRC) loss of two CDs
containing the personal details of more than 25 million UK citizens was not the
result of hackers the CDs were in fact lost in the internal post.
The HMRC incident seemed to open the floodgates and the industry has since seen
a wave of data breaches so widespread that it has prompted calls from all areas
of society to make the loss of such data a criminal offence.
For example, last month the Ministry of Justice was forced to admit that four
CDs containing unencrypted personal information had gone missing, again in the
post, after being sent out by the courts’ administration.
Alan Beith, Commons Justice Committee chairman, said the loss “underlines the
need to urgently implement our recommendations for improved data protection and
the introduction of criminal penalties for reckless or repeated loss of data”.
He added that he was concerned about the “potential serious risk to victims of
crime and witnesses connected to criminal cases if their personal details have
been lost and fall into the wrong hands, as well as the possibility of prejudice
to any prosecutions.”
Maitland Hyslop, chief operating officer of VAR
Onyx,
backed calls for tougher laws to cover reckless or repeated breaches of data
security.
“We welcome the decision of the Parliamentary Justice Committee to call for
legislation to make reckless or repeated breaches of data security a criminal
offence. Companies such as Onyx are already able to provide data storage and
computer network security solutions designed to prevent the security lapses that
have featured in recent news headlines, so there really is no defence or reason
for such breaches,” says Hyslop.
Handling issues
One of the main reasons for security breaches is that sensitive data is often
handled by inexperienced and junior members of staff because senior staff often
consider it below their status to carry out backup and data delivery duties.
Sean O’Reilly, EMEA channel manager at vendor
Thinking
Safe, said: “The most mundane job in any IT department is that of the tape
monkey, a cruel nickname for the young person tasked with loading backup tapes
every evening and ensuring they are correctly labelled and ready for collection
by the courier. These employees have been sending unencrypted tapes off site
every evening for as long as anyone can remember; tapes that could easily be
read by an average techie with a tape recorder and a laptop.
“The channel has been given an opportunity to deliver a well established online
backup solution with secure encryption, without the burden of investment in
datacentre infrastructure,” added O’Reilly.
Punishment
Gary Clark, vice president of EMEA at
SafeNet
would like the Justice Committee’s recommendations to be taken one step further
and for firms to be penalised for not having the correct security procedures
implemented in the first place.
“Instead of punishing those responsible for data breaches after the event,” he
said, “steps need to be taken to prevent them in the first place. Organisations
should be penalised not only for losing data, but for failing to have the
necessary safeguards in place. These include identifying process weaknesses,
adopting robust security standards and encrypting all sensitive data. This is a
classic case of shutting the stable door after the horse has bolted.
“Today, at least a quarter of the UK population has been affected by identity
fraud or knows someone who has. And with the government also responsible for
lost data, high-profile breaches will continue to hit the headlines in 2008,”
Clark added.
However, Elaine Fletcher, senior associate at international law firm
Eversheds,
said that caution is warranted when venturing into punitive legislation.
“The uncertainty as to what might happen to misplaced information is distressing
for those whose details have been lost, and is it essential to restore trust
that individuals’ private details will be properly looked after. Whether or not
this is an over reaction remains to be seen. It is still uncertain whether the
data from the recently reported public sector losses has been accessed by
unauthorised third parties to be used fraudulently.
“There should be due investigation to establish the extent to which systematic
and unnecessary security breaches are occurring before any knee-jerk reaction,”
she said. “Businesses may, however, rightly question why government departments
and officials should be in the privileged position of being beyond prosecution
for failing to comply with formal ICO compliance sanctions.”
The problem seems to be that many firms and government departments have an “it
is not going to happen to me” attitude.
Jamie Cowper, European marketing director at security vendor
PGP,
said: “While the UK government seems to be moving closer to implementing
US-style data breach notification laws, proposals to criminalise data loss could
be a step too far. Instead, organisations should be encouraged to move away from
a reactive, laissez-faire attitude to security and take a more proactive
approach to data.”
Heads in the sand
Recent research from security giant Check Point revealed that 65 per cent of
respondents (140 IT managers in the UK public and private sector) would not
change their IT spending plans after the HMRC breach. Also, only 48 per cent of
those have encryption deployed and less than 40 per cent have end-point
security.
Nick Lowe, regional director of northern Europe at
Check
Point, said: “It is worrying that a majority of the companies surveyed feel
they are safe against data loss. More than half of our survey sample do not have
the basic security measures in place to stop the type of behaviour that caused
the leak at HMRC.
“Securing any kind of sensitive data has to be automated, so that employees or
other users cannot alter or stop the security processes. Organisations must
protect their data and their staff against the risks of possible data leaks.
Automation is the only way to do that.”
Ritchie Jeune, chief executive of VAR
Evolution
Security Systems, said firms need to consider their strategy carefully.
“Solutions to prevent data leakage have been, and are, readily available. The
issue most organisations face, is that they must first identify what data they
need to protect and then ensure they have a solution that can protect the data
during rest and transit.
“Add to that access controls to ensure only the right people can review the
confidential data and reinforce it with auditing so in the worst case scenario
you can retrace the data movement. Companies will then have what sounds like a
simple install of some encrypted USB keys, but in fact is a complex solution
that incorporates procedures and user awareness training.”
Of course, all this extra activity means a good opportunity for the channel to
remind the government how smaller contractors can implement a strategy that
works.
Pete Rawden, channel sales director for the UK and Ireland at
NetApp,
stressed that education is a good point of conversation between the channel and
end users.
“Losing the records of millions of people is, of course, very concerning for
individuals and organisations alike. However, solutions to this problem are
often perceived as complex and prohibitive, so have been largely ignored.
“There is a real opportunity for resellers to become a trusted adviser on this
issue as firms look for guidance and expertise on the most efficient and
cost-effective ways to protect and retain data.”
David Ellis, director of e-security at specialist distributor
Computerlinks,
said another contributing factor to the problem was a distinct lack of awareness
of the risks faced by many companies.
“It is important that the channel educates its customers on the risks associated
in this area,” he said.
“Many end users may not be aware of the risks they face. Working with their
customers, VARs have the opportunity to help establish
where the risks lie, how they can mitigate these and then create policies and
business workflow to help enforce them.
“By understanding the customer’s business well, there is the opportunity for the
channel partner to develop a tight and long-standing relationship.”
Alan Bentley, EMEA vice president of
Lumension
Security (formerly Patchlink) also felt more education was needed.
“At the heart of all the recent data losses is a lack of awareness and coherence
to the organisation’s security policies. The human factor is often the weakest
link in any security armour.
“Educating employees about the risks of data theft needs to be tackled first.
Implementing policy, which employees will adhere to, comes second, but it is no
easy task, especially when you consider the numbers of people who must abide by
the policy. Unless employees start to understand that their job is on the line
if they fail to follow procedures, this culture of careless data handling will
continue.”
Steve Mackey, UK area director at
Quantum,
said: “Resellers that sell certain elements of web security should be looking
for products that can be hooked into existing solutions, rather than a totally
new set of disconnected products. There should be a holistic view of data
protection with vendors providing a complete solution in this area.”
Mackey suggested three main points to consider when selling to customers see
box, 25.
Ann Keefe, sales director for the UK and Ireland at flash drive vendor
Kingston
Technology, said: “It has never been more important for an organisation to
ensure that all the private data it holds and the way the data is transported is
secure.
“This is especially vital for government departments, multi-national
corporations and large enterprises, that often deal with a great number of
personal and private records. And it is critical for financial institutions that
are bound by FSA regulations.
Creating opportunities
“As discussions are now turning to the possibility of legal action against
companies and individuals that lose data, organisations are looking for a simple
and inexpensive solution and this certainly opens up possibilities for the
channel.”
Matt Fisher, vice president of
Centennial
Software, echoed this view. “The recent flurry of data breaches has grabbed
headlines and caused both companies and consumers to reconsider the way data is
treated. This presents an unrivalled opportunity for partners and resellers to
further promote and sell their respective security solutions.
“Previously, the consequences of a data breach appeared to be vague and unclear,
however companies are now faced with very real and costly repercussions should a
breach occur.
“A broad variety of risks, such as spam, viruses and device management means
that a sole security solution is unable to offer complete IT security. As a
result, companies need to deploy a layered approach to ensure a robust
infrastructure. This is where resellers can really differentiate themselves.”
Waking up to risk
It often seems the channel benefits on the back of other people’s suffering,
particularly where security is concerned. But this is because it takes
experience of a major data loss or threat to wake up many senior executives to
the fact that they are at risk as much as any other company.
Jonathan Cooper, director of EMEA partners and channel at vendor
ArcSight,
agreed. “If approached in the correct way, the channel should use these
incidents as opportunities for new business as each high-profile incident
creates a need for the end user to do something about the risk of it happening
to them,” he said.
“The increasingly pressurised environment in which end users work, and the
increased challenges that this represents, are opportunities for the
switched-on, solution-centric channel player to align themselves against.”
Tom Owens, a consultancy services manager at security integrator
Integralis,
concurred. “It was only a matter of time before something such as the recent
HMRC misplacing of sensitive data occurred and it sent tremors throughout all
public and private enterprises,” he said.
“Many organisations have trodden a thin path between getting away with it and
stepping over the line into the full gaze of the world’s media once an error has
been made public.”
Owens said a key point was to avoid a knee-jerk reaction and to focus on
properly conducted business analysis to show employees the real problems that
caused breaches to happen. Simply plugging in a box is not the answer, he added.
“We at Integralis are focussed on working with our customers to analyse their
requirements and help them identify the right course of action. We can provide
highly specialised technical teams that can ensure the right solutions are put
in place, while our analysts help managers to embed the right processes and
culture to make the appropriate technical solution work for them.”
Ian Kilpatrick, chairman of value added distributor (VAD)
Wick
Hill Group, outlined three main selling points for VARs to consider.
“Resellers should go for quick wins to build positive momentum, understand
customers’ problems and sell solutions to those problems rather than technology,
and help assess customers’ risk and work on risk management solutions.”
Kilpatrick said the range of products on offer to resellers were extensive, but
stressed the importance of using partnerships.
“Some solutions are easy for the channel to deliver. For the more complex
solutions, if resellers are dealing with a supportive VAD and vendor
partnership, they will be supported across the selling process.”
Security
community slams HMRC
reader comments