I’m sure most of us have seen the news reports about NASA’s data security problems over the past two years. The Agency experienced “the loss or theft of 48 mobile computing devices, some of which resulted in the unauthorized release of sensitive data and third-party intellectual property”, according to a report by NASA’s own Inspector General.
The report went on to state that these high-profile losses of unsecured devices, and a range other security breaches, “caused significant disruption to mission operations, and resulted in the theft of sensitive data, with an estimated cost to NASA of more than $7 million.” When repeated breaches happen on this scale to an organisation with such huge resources and technical know-how, it raises the question of why such breaches continue to occur.
That question is also answered by the NASA Inspector General’s report, stating “NASA has been slow to implement encryption on notebook computers and mobile computing devices it provides to its employees, exposing sensitive information to unauthorised disclosure when devices are lost or stolen.” In fact, by February 2012, only 1% of NASA laptops and portable devices were encrypted, compared with a US Government wide encryption rate of 54%.
We have a problem
It’s easy to focus on that startling 1% figure as the root of the problem. However, the US Government-wide encryption rate of 54% — only just over half of all portable devices – will hardly put anyone’s mind at ease. These deployment rates of data security are typical in developed countries. When my company surveyed over 300 UK public and private sector organisations in November 2011, just 52% said they encrypted their laptops.
So why are data encryption deployment rates still so low with all types of organisation? I believe it’s a combination of factors, but the overriding factor is simple human behaviour.
Most people, from CEO level down, are at least partly aware of the security risks with device loss, transferring data to unencrypted computers or devices, sending work files to webmail accounts and are somewhat aware of corporate policies about copying and transporting data.
But people take chances all the time when transferring data, and are typically focused on being efficient workers and getting their jobs done, not whether or not their actions might create a security risk. Most of the time, there is no malicious intent by the employee and the data remains in the proper hands, which merely reinforcing such behaviour.
However, with today’s current business and regulatory climate, businesses can’t afford to continue down this path – not just for the direct losses of intellectual property or competitive edge, but also because of the reputation damage and financial costs organisations cannot afford to face.
Secure by stages
So organisations need to protect their IT estate against the risks of data breaches, in line with their security policies, and also make users aware of those policies and of the possible consequences of their actions. I believe there are three key stages in achieving these goals: Audit; Amnesty; Adding security.
First, let’s look at the audit step. You need to know what devices are out there on your network: what’s in use and what perhaps shouldn’t be in use. There’s a range of discovery tools to help automate building a picture of all the devices being used on your networks.
Once the audit is complete, you’re ready for step 2: amnesty. All the computing devices you identify should be brought to the IT department, ready for updating with security applications. This includes laptops, USB sticks and removable media, as well as PDAs, smartphones, tablets and more. At the same time, staff should be informed that unauthorised devices will be locked out of the network.
The final step is to add security. In terms of determining what security solutions you need, it’s important to remember that any computing device is a potential risk. Although the data breaches in media headlines usually involve a laptop computer or USB memory stick, all computers within an organisation – both desktops and laptops – are endpoints, with access to sensitive data. So all computers should have data security controls installed.
These controls should include full-disk encryption with pre-boot authentication, port and device control software, and removable media encryption to protect USB sticks and DVDs. It’s also important for IT administrators to have central visibility and control over endpoints to ensure compliance with the organisation’s security policies.
To err is human
This ability to centrally enforce security policies with IT solutions is critical. The process should also be automated so that security is applied in any circumstance – whether on shutting down a laptop, or copying data to a memory stick or CD. The less the user is aware of the security solution – and latest generation products are highly transparent – the less it interferes with their workflow, and the more secure your data becomes.
By following the Audit, Amnesty, Add security process, you can help to stop your sensitive data from becoming ‘access all areas’, and avoid embarrassing and costly losses. Rocket science is hard; security doesn’t have to be.