Adding up the benefits of end point security
The growing use of removable media in the workplace is becoming an ever more urgent business issue according to Colin Golden, security consultant, at Sapphire. Desktops, laptops, servers and a vast range of mobile devices are increasingly vulnerable to attack
The rise in remote working initiatives and a lack of awareness from users, many of whom freely plug removable devices into corporate systems, all contribute to the problem. A significant proportion of these invisible threats are able to bypass the firewall and infect information systems with viruses and malware, leaving them open to hacker attacks.
Until recently, company boards have avoided putting security measures in place to protect their businesses against these threats. The risks of not doing so have been difficult to quantify, while the costs of taking appropriate measures have appeared prohibitive.
This financial balance is now starting to change. There is real evidence that many boards across the European Union are beginning to take the risks seriously and establish robust governance strategies. There are three principal reasons for this.
Firstly, the punitive costs directed at organisations that have not shown due diligence are becoming even greater. Businesses now have a greater incentive for spending money to put appropriate security measures in place to help mitigate the risk.
In the United States, it is now a legal requirement that if an organisation loses confidential personal information relating to an individual, then all the affected individuals must be informed. 34 out of the 50 states now have a mechanism in place to ensure that these individuals have free credit checks carried out for one year. For example, if an organisation was to lose the records of 600,000 people, it might be looking at $50-$70 per record or a total of up to $42 million to carry out the related credit checks.
The spend to develop an information management security policy and to then implement the necessary technological solutions to protect end point devices would be nothing in comparison to such a data breach cost. Such an expenditure would only need to be made once - in contrast to the cost resulting from data loss which will be incurred every time an incident occurs.
The Government Minister of Information is currently reviewing the US approach to personal data security, so similar legislation may be on its way in the UK. If this had been the case at the time of the recent HM Revenues and Customs data loss, then the costs could have been astronomical – serious food for thought for any board member.
The second driver relates to more stringent legislation around credit card payments. The new payment card industry (PCI) requirements mean that any organisation that processes credit card transactions needs to have stringent technical infrastructures in place.
The Data Security Standard introduced by the Payment Card Industry is designed to ensure that transactions are conducted in a secure manner and that all the merchants meet minimum security standards.
The third factor is the growing personal liability of board directors. Up until a year ago, there was widespread resistance to the concept of forced compliance to legislation that originated in the United States like Sarbanes-Oxley, for example. Over the last 12 months there has been a complete 'sea change' in attitudes. This is illustrated by the emergence of 'e-SOX', the European version of Sarbanes-Oxley.
Increasingly, there are requirements for directors within organisations to have the correct governance in place. If they do not, they risk being held personally accountable.
We are now seeing directors in businesses across Europe pushing for the adoption of policies and procedures which help to ensure end point security. So, what specific types of threats are they facing and how do they best ensure that they are adequately protected?
Laptop Losses
Historically, the use of laptops, often by mobile workers, has generated many of the most serious end point security threats to organisations. This issue dates back to the late 1990s when business started to use such devices throughout the organisation. Laptops have always been too easy to leave behind, easily stolen and even more easily sold and re-used. Today, however, the implications are much greater because they generally store much more data than they did previously.
Throughout much of the 1990s, laptops with 20 Gigabit hard drives were still relatively uncommon. Now, many have capacities of 180-200 Gigabits enough storage space for most, if not all of an organisations client database, intellectual property or financial data. Consequently, the volume of potential information loss has significantly increased.
When you consider that one Gigabit of data is roughly equivalent to six five-draw filing cabinets of information; and that this quantity of information could be transferred onto a storage stick from a laptop or another IT device in approximately 11 seconds; it becomes clear how quickly and easily data can be stolen from an organisation.
And yet the scale of threat is not fully appreciated within many businesses. A major educational process needs to take place. Every single level of the business from reception to the CEO needs to understand what assets are at risk and how they can best be protected.
Mobile Workforce
Many of the security issues that affect businesses today also stem from the rise of the mobile workforce, over the last decade in particular. Analyst, IDC projects that a billion workers around the world will be mobile by 2011, including nearly 75 per cent of the US workforce.
In the UK, there are now requirements within local government that a flexible working approach has to be in place allowing people to work more easily from home.
It is now possible to put in place secure mechanisms like IPSec Virtual Private Networks (IP VPNs) or, for added flexibility, Secure Socket Layer (SSL VPNs) that protect information while in transit to and from the remote worker's workstation.
There are issues around whether businesses allow information to reside on the remote machine or whether it should always reside centrally. If data is allowed to reside remotely, then the next key question is, 'how long for?' If the answer is just for the duration of one particular session, then procedures need to be established to ensure that, when that session finishes, there is an automated process to 'clean up' after them.
Process First
Technical solutions are now available to help organisations address the full spectrum of end point security problems. However, businesses first need to assess the nature of their specific problem. They then need to put in place a comprehensive risk assessment. This typically will include quantifying their assets and establishing exactly what they are worth to the business.
Running alongside this, they should consider implementing a more rigorous approach to information security management. They might, for example, decide to use an ISO27001 process, which will offer a broad range of commercial benefits alongside a proven security methodology.
This is, a cyclical rather than a linear process and the risks the business faces will change over time as new technologies and new security threats emerge. And the impact of security breaches will change too as the business acquires new assets.
Before an organisation commits to investing in end point security solutions, it needs to understand the risks it is facing and to carry out a detailed cost benefit analysis. Ultimately the key to successful end point security lies more in the policies and procedures that organisations put in place and their commitment to raising employee awareness levels rather than in implementing technology for its own sake.
The good news is that this is a lesson that directors across Europe are increasingly learning and the balance has swung in favour of taking preventative action. Potential losses from having failed to implement the correct security processes are now much greater than the costs of putting these processes in place. As a result, directors have been driving the uptake of stringent security measures and are now helping to usher in a new security conscious culture within the businesses in which they work.
