FSN: data theft

It's the internal threat of data loss you should be worried about

30th July 2007
Threats posed to corporate networks are well documented. But the way in which many of these are often covered has led to panic in some quarters with companies focusing on things like USB devices rather than taking a measured approach. Here Mark Dye , FSN's Contributing Editor, attempts to redress the balance.

Security and the prevention of data loss has long been a ‘hot-bed' of discussion for businesses everywhere, causing more than a few ruffled feathers in the boardroom.

Yet, what is a company worth without it's most important assets: its people and its data? The answer is probably not much, but somehow we have all been guilty of neglecting the very real threats that lay at our door, both internally and externally at some stage.

Journalists have also been guilty of sensationalising the coverage surrounding security leaks and theft, as have those looking to turn a profit. Yes, USB devices and the like are a risk, but all risks need to be put in perspective.

Simon Perry, VP Security Strategy, CA EMEA, shares this view. As both a former member of the advisory board for ENISA (European Network and Information Security Agency) and advisor to the FBI he is well placed to comment on security concerns and best practise for businesses.

“The same financial institution which would say they're worried about ‘podslurping' is probably leaving backup tapes containing 10 iPods worth of data in a rubbish bin,” he says.

According to the recent Annual Computer Crime and Security survey conducted by the Computer Security Institute and FBI, the top four categories for security loss were viruses, unauthorised access, laptop theft and theft of proprietary information, accounting for nearly 3/4 of the total loss for firms.

And looking towards the lower end of the spectrum, things are a little more startling as the recent SMB (Small to medium business) State of Security survey from Dynamic Markets on behalf of Websense revealed.

This study of some 750 IT managers and general employees in SMBs in five European countries, found that 98% of IT managers believed their technology and processes to be adequate, with over half of these believing their company was well equipped against security threats and perhaps most bizarrely of all, a quarter saying they felt 100% protected.

However, further questioning revealed that the vast majority were failing to defend themselves against loopholes by blocking peer-to-peer communications, filtering use of the Net and blocking attachments to instant messages. Not one single company surveyed protected itself against every possible threat and 15% believed firewall and antivirus solutions to be sufficient protection for their business.

Perry thinks that most companies place themselves at risk because of a failure to realise why they have IT to begin with and what the value of information is to them beyond ‘just a roomful of flashing LEDs'.

“From that base corruption in values comes all failure in IT security,” he suggests.

There is a general feeling among those in the industry that most end-users believe that the Internet isn't dangerous either, a risky strategy to adopt.

As Jean Paul Ballerini, senior technology solutions expert for Internet Security Systems, puts it, “Companies must invest in awareness because a knowledgeable user highly reduces risks.”

Clearly piecemeal security doesn't help firms either, but overcoming the natural, human trust among people seems to be the biggest hurdle, he says.

“Also, over the past few years the main focus has been on network and server security, leaving the desktop as the weakest link, always after the end user of course,” he adds.

Perry feels that there is a certain degree of hypocrisy in the air these days too, with companies happily hiring a new salesman who comes with intimate knowledge of customers, pipeline and competitive strategy, while at the same time turning a blind eye to the fact that their own employees might be walking out with similar data to their own business competitors.

“The IT security software industry and the IT media deserve blame here too for the over-hyping of virus compared to a reasoned and fact driven analysis of the internal threat,” he says. “Remember, you may be likely to see the external attack, but the internal attack is more likely to result in loss of valuable assets.”

Clearly classifying data according to sensitivity and business value is key, but companies also need to think about the regulators and legal requirements for management, storage and privacy of information too.

Perry says that theft and corruption of proprietary information would be top of his of priorities, with unauthorised access coming in a close second.

“ What I'd really worry about if I was the CEO however would be the impact to my company's brand and ability to attract and retain customers, given my inability to keep safe my customer's data,” he says.

But with high net worth customers and investors becoming increasingly IT savvy, and the average age of a stock portfolio holder having dropped by 15 years to 47, according to NA figures, there are other things to worry about.

“That 47 year old probably knows more about IT, its foibles and failures and faults than the board running the company,” he says.

Ballerini again stresses the importance of awareness among employees to counter such problems, but offers some simple suggestions too.

“All hard-drives should be encrypted, all laptops should be securely stored and the use of Kensington locks should be mandatory,” he says.

While he is sure most now use anti-virus, content filtering and intrusion prevention systems as they begin to understand how fundamental they are, Ballerini believes that monitoring the activity of each user is expensive and cost-prohibitive for many. He recommends configuring each system with host-based protection, hard drive encryption and use of biometrics for secure, authorised, authenticated access where possible.

As for questions of gaps between popular perception and reality when it comes to data loss, Perry believes that there should be no distinction between external and internal systems these days. “The difference between the intranet and the internet is a vowel not a technology,” he says.

Of the current issues, peer-to-peer communications (P2P) and the threat of data loss through instant messaging are proving the most worrying.

“The network today is the leveller and P2P punches right through the artificial barriers between internal and external,” says Perry. “It also bypasses most filtering technologies by virtue of being P2P in the first instance and not relying on being channelled through a natural choke point where analysis and filtering can be done.”

Unfortunately many people still trust anyone on the other side of a P2P connection without any sound reason for doing so and file sharing is an issue not only when it comes to data leakage, but when it comes to malware spreading too.

“There is no real reason why public P2P should be allowed within a corporate network,” expands Ballerini. “If a company wants to use it internally, they should make sure to use one that is contained within the company and its employees. The use of encryption was originated by the need of confidentiality and privacy protection. Today it is a highway for hackers as the connection cannot be monitored.”

Of course, one of the main problems with all this is the speed at which technology is advancing. Yes, we cherish our new world of flexible computing, but it's one that comes at a price. It's a fair assessment to say that no matter how good traditional security products are, most struggle to keep up with the volume of new and more complex web threats.

As Perry laments, “We're playing catch-up from a long way back right now. Arguably we will always be in technology state-of-war cycle with the 'attackers'. Many companies allowed themselves to get a long way behind and are now suffering the consequences.”

About Us