Plugging the data breach

As high-profile data breaches continue to make headline news, the channel can offer security, says Sara Yirrell

Barely a week goes by without another news headline exposing a government department or a corporation on the loss of personal details of UK citizens.
One major contributing factor to the rise of security breaches is the sheer amount of data that companies have today and the rules governing the storage of that data, said David Galton-Fenzi, group sales director at distributor Zycko.
“More and more organisations are storing information about their business and customers in electronic format, and are keeping this information for longer periods of time than they have done previously,” he said.
“This is often mandated by the different legislations that govern the sector in which their business falls, such as Hippa for Healthcare (which must retain information for the life of the patient, plus two years), FSA and Basel II for finance (a total of seven years), the Sarbanes Oxley Act, PCI for the payment card industry, the Freedom of Information Act and the Data Protection Act, to name but a few,” he said.
“Currently, breaching one of these legislations would result in a financial penalty for businesses, but not in a custodial sentence.”
Data breaches have been happening for years, a fact backed by the Information Security Forum (ISF).
Andy Jones, senior research consultant at the ISF, said: “While there are some new factors and challenges, it is really just a new name for an old problem.
For large organisations, a certain level of information leakage may be inevitable through unintentional actions rather than malicious intent. It is important to focus resources on identifying and protecting high-value data and increasing awareness of the risks.”
But the issues really started coming to the wider public’s attention via the mainstream press with the TK Maxx fiasco last year, when hackers managed to steal millions of shoppers’ bank details from the firm’s computer system.

Lack of care
But it is the apparent lack of care, highlighted by recent incidents, that is of concern. For example, the HM Revenue and Customs (HMRC) loss of two CDs containing the personal details of more than 25 million UK citizens was not the result of hackers ­ the CDs were in fact lost in the internal post.
The HMRC incident seemed to open the floodgates and the industry has since seen a wave of data breaches so widespread that it has prompted calls from all areas of society to make the loss of such data a criminal offence.
For example, last month the Ministry of Justice was forced to admit that four CDs containing unencrypted personal information had gone missing, again in the post, after being sent out by the courts’ administration.
Alan Beith, Commons Justice Committee chairman, said the loss “underlines the need to urgently implement our recommendations for improved data protection and the introduction of criminal penalties for reckless or repeated loss of data”.
He added that he was concerned about the “potential serious risk to victims of crime and witnesses connected to criminal cases if their personal details have been lost and fall into the wrong hands, as well as the possibility of prejudice to any prosecutions.”
Maitland Hyslop, chief operating officer of VAR Onyx, backed calls for tougher laws to cover reckless or repeated breaches of data security.
“We welcome the decision of the Parliamentary Justice Committee to call for legislation to make reckless or repeated breaches of data security a criminal offence. Companies such as Onyx are already able to provide data storage and computer network security solutions designed to prevent the security lapses that have featured in recent news headlines, so there really is no defence or reason for such breaches,” says Hyslop.

Handling issues
One of the main reasons for security breaches is that sensitive data is often handled by inexperienced and junior members of staff because senior staff often consider it below their status to carry out backup and data delivery duties.
Sean O’Reilly, EMEA channel manager at vendor Thinking Safe, said: “The most mundane job in any IT department is that of the tape monkey, a cruel nickname for the young person tasked with loading backup tapes every evening and ensuring they are correctly labelled and ready for collection by the courier. These employees have been sending unencrypted tapes off site every evening for as long as anyone can remember; tapes that could easily be read by an average techie with a tape recorder and a laptop.
“The channel has been given an opportunity to deliver a well established online backup solution with secure encryption, without the burden of investment in datacentre infrastructure,” added O’Reilly.

Punishment
Gary Clark, vice president of EMEA at SafeNet would like the Justice Committee’s recommendations to be taken one step further and for firms to be penalised for not having the correct security procedures implemented in the first place.
“Instead of punishing those responsible for data breaches after the event,” he said, “steps need to be taken to prevent them in the first place. Organisations should be penalised not only for losing data, but for failing to have the necessary safeguards in place. These include identifying process weaknesses, adopting robust security standards and encrypting all sensitive data. This is a classic case of shutting the stable door after the horse has bolted.
“Today, at least a quarter of the UK population has been affected by identity fraud or knows someone who has. And with the government also responsible for lost data, high-profile breaches will continue to hit the headlines in 2008,” Clark added.
However, Elaine Fletcher, senior associate at international law firm Eversheds, said that caution is warranted when venturing into punitive legislation.
“The uncertainty as to what might happen to misplaced information is distressing for those whose details have been lost, and is it essential to restore trust that individuals’ private details will be properly looked after. Whether or not this is an over reaction remains to be seen. It is still uncertain whether the data from the recently reported public sector losses has been accessed by unauthorised third parties to be used fraudulently.
“There should be due investigation to establish the extent to which systematic and unnecessary security breaches are occurring before any knee-jerk reaction,” she said. “Businesses may, however, rightly question why government departments and officials should be in the privileged position of being beyond prosecution for failing to comply with formal ICO compliance sanctions.”
The problem seems to be that many firms and government departments have an “it is not going to happen to me” attitude.
Jamie Cowper, European marketing director at security vendor PGP, said: “While the UK government seems to be moving closer to implementing US-style data breach notification laws, proposals to criminalise data loss could be a step too far. Instead, organisations should be encouraged to move away from a reactive, laissez-faire attitude to security and take a more proactive approach to data.”

Heads in the sand
Recent research from security giant Check Point revealed that 65 per cent of respondents (140 IT managers in the UK public and private sector) would not change their IT spending plans after the HMRC breach. Also, only 48 per cent of those have encryption deployed and less than 40 per cent have end-point security.
Nick Lowe, regional director of northern Europe at Check Point, said: “It is worrying that a majority of the companies surveyed feel they are safe against data loss. More than half of our survey sample do not have the basic security measures in place to stop the type of behaviour that caused the leak at HMRC.
“Securing any kind of sensitive data has to be automated, so that employees or other users cannot alter or stop the security processes. Organisations must protect their data and their staff against the risks of possible data leaks. Automation is the only way to do that.”
Ritchie Jeune, chief executive of VAR Evolution Security Systems, said firms need to consider their strategy carefully.
“Solutions to prevent data leakage have been, and are, readily available. The issue most organisations face, is that they must first identify what data they need to protect and then ensure they have a solution that can protect the data during rest and transit.
“Add to that access controls to ensure only the right people can review the confidential data and reinforce it with auditing so in the worst case scenario you can retrace the data movement. Companies will then have what sounds like a simple install of some encrypted USB keys, but in fact is a complex solution
that incorporates procedures and user awareness training.”
Of course, all this extra activity means a good opportunity for the channel to remind the government how smaller contractors can implement a strategy that works.
Pete Rawden, channel sales director for the UK and Ireland at NetApp, stressed that education is a good point of conversation between the channel and end users.
“Losing the records of millions of people is, of course, very concerning for individuals and organisations alike. However, solutions to this problem are often perceived as complex and prohibitive, so have been largely ignored.
“There is a real opportunity for resellers to become a trusted adviser on this issue as firms look for guidance and expertise on the most efficient and cost-effective ways to protect and retain data.”
David Ellis, director of e-security at specialist distributor Computerlinks, said another contributing factor to the problem was a distinct lack of awareness of the risks faced by many companies.
“It is important that the channel educates its customers on the risks associated in this area,” he said.
“Many end users may not be aware of the risks they face. Working with their customers, VARs have the opportunity to help establish
where the risks lie, how they can mitigate these and then create policies and business workflow to help enforce them.
“By understanding the customer’s business well, there is the opportunity for the channel partner to develop a tight and long-standing relationship.”
Alan Bentley, EMEA vice president of Lumension Security (formerly Patchlink) also felt more education was needed.
“At the heart of all the recent data losses is a lack of awareness and coherence to the organisation’s security policies. The human factor is often the weakest link in any security armour.
“Educating employees about the risks of data theft needs to be tackled first. Implementing policy, which employees will adhere to, comes second, but it is no easy task, especially when you consider the numbers of people who must abide by the policy. Unless employees start to understand that their job is on the line if they fail to follow procedures, this culture of careless data handling will continue.”
Steve Mackey, UK area director at Quantum, said: “Resellers that sell certain elements of web security should be looking for products that can be hooked into existing solutions, rather than a totally new set of disconnected products. There should be a holistic view of data protection with vendors providing a complete solution in this area.”
Mackey suggested three main points to consider when selling to customers ­ see box, 25.
Ann Keefe, sales director for the UK and Ireland at flash drive vendor Kingston Technology, said: “It has never been more important for an organisation to ensure that all the private data it holds and the way the data is transported is secure.
“This is especially vital for government departments, multi-national corporations and large enterprises, that often deal with a great number of personal and private records. And it is critical for financial institutions that are bound by FSA regulations.

Creating opportunities
“As discussions are now turning to the possibility of legal action against companies and individuals that lose data, organisations are looking for a simple and inexpensive solution and this certainly opens up possibilities for the channel.”
Matt Fisher, vice president of Centennial Software, echoed this view. “The recent flurry of data breaches has grabbed headlines and caused both companies and consumers to reconsider the way data is treated. This presents an unrivalled opportunity for partners and resellers to further promote and sell their respective security solutions.
“Previously, the consequences of a data breach appeared to be vague and unclear, however companies are now faced with very real and costly repercussions should a breach occur.
“A broad variety of risks, such as spam, viruses and device management means that a sole security solution is unable to offer complete IT security. As a result, companies need to deploy a layered approach to ensure a robust infrastructure. This is where resellers can really differentiate themselves.”

Waking up to risk
It often seems the channel benefits on the back of other people’s suffering, particularly where security is concerned. But this is because it takes experience of a major data loss or threat to wake up many senior executives to the fact that they are at risk as much as any other company.
Jonathan Cooper, director of EMEA partners and channel at vendor ArcSight, agreed. “If approached in the correct way, the channel should use these incidents as opportunities for new business as each high-profile incident creates a need for the end user to do something about the risk of it happening to them,” he said.
“The increasingly pressurised environment in which end users work, and the increased challenges that this represents, are opportunities for the switched-on, solution-centric channel player to align themselves against.”
Tom Owens, a consultancy services manager at security integrator Integralis, concurred. “It was only a matter of time before something such as the recent HMRC misplacing of sensitive data occurred and it sent tremors throughout all public and private enterprises,” he said.
“Many organisations have trodden a thin path between getting away with it and stepping over the line into the full gaze of the world’s media once an error has been made public.”
Owens said a key point was to avoid a knee-jerk reaction and to focus on properly conducted business analysis to show employees the real problems that caused breaches to happen. Simply plugging in a box is not the answer, he added.
“We at Integralis are focussed on working with our customers to analyse their requirements and help them identify the right course of action. We can provide highly specialised technical teams that can ensure the right solutions are put in place, while our analysts help managers to embed the right processes and culture to make the appropriate technical solution work for them.”
Ian Kilpatrick, chairman of value added distributor (VAD) Wick Hill Group, outlined three main selling points for VARs to consider.
“Resellers should go for quick wins to build positive momentum, understand customers’ problems and sell solutions to those problems rather than technology, and help assess customers’ risk and work on risk management solutions.”
Kilpatrick said the range of products on offer to resellers were extensive, but stressed the importance of using partnerships.
“Some solutions are easy for the channel to deliver. For the more complex solutions, if resellers are dealing with a supportive VAD and vendor partnership, they will be supported across the selling process.”
Security community slams HMRC