How should organisations prove that they can be trusted with sensitive data, and build a bond of trust with employees and partners? Terry Greer-King, UK MD for Check Point, looks at the issues.
"That won't happen to us, 'cause it's always been a matter of trust." This line from Billy Joel's 1986 hit single could easily describe the approach that many organisations have taken over the past five years to safeguarding the personal, confidential data that they hold.
With the numbers of data breaches reported increasing tenfold over the past five years, according to the Information Commissioner's Office, public trust in the ability of both private firms and Government organisations to safeguard personal information has fallen sharply.
In a December 2012 survey of over 2,000 members of the UK public, 50 percent said their trust in Government and public sector bodies was diminished as a result of these ongoing breaches and losses of personal data, while 44 percent said their trust in private companies was reduced. Naturally, we expect organisations to handle our personal data responsibly, and with care.
Who can you trust?
But a majority of us, as knowledge workers, don't always apply the same levels of diligence in our own working practices. The same survey found that 34 percent of workers regularly forward material to personal email accounts so they can continue working away from the office. 40 percent check work email regularly on personal phones, tablets or laptops; 33 percent carry work-related data on unencrypted USB memory sticks; and 17 percent use insecure cloud storage services such as Dropbox.
Furthermore, a quarter of all workers said they take these actions even though their company's IT policy specifically forbids them, while a further 23 percent weren't aware of what their company's policy stated.
Of course, in the vast majority of cases, there's no malicious intent by the employee - they are typically focused on being efficient and getting their jobs done, and no data is lost. But this has the unfortunate effect of reinforcing such risky actions.
In today's business and regulatory climate, organisations can't afford to continue down this path, because of the risk of reputational damage, financial costs, and of course, loss of trust.
So how do organisations close that 'trust gap', so that they can trust employees to handle data responsibly, and protect against simple human errors of misplacing a laptop, smartphone or device, or miskeying an email address? And how do organisations prove to external parties that they can be trusted?
Two stage solution
A two-stage solution is needed: one that educates users about their actions in real-time, and also enforces security without the user being able to affect it or turn it off. We will look first at how email data breaches can be curbed; then at how data in documents can be secured, irrespective of the medium or device on which the document is being sent or processed.
Traditional Data Loss Prevention (DLP) solutions have tried to address the email issue, but with limited success. They usually take a long time to set up, with weeks of intensive 'training' needed to help the solution accurately classify an organisation's sensitive data and files, and also demand close involvement and intervention of IT staff in either allowing or blocking users' emails.
A different approach is to involve individual employees in the security process. This not only boosts user awareness of appropriate email usage, but also makes DLP truly preventative, alerting the user before they can send an email that may cause a loss incident.
For your eyes only
Of course, email isn't the only vector for data leaks. Documents and other files easily become scattered across email inboxes (often replicated on smartphones, too), on laptops, in webmail or other cloud apps, and on removable storage. This multiplies the chances of an unsecured, sensitive document going astray, especially as encrypting an entire device is not always possible.
Traditional document security has meant password protection: but that offers almost no defence to freely-available online tools that are designed to crack file passwords. What's needed instead is a method of securing the file using strong encryption, together with a method for granting access to those files based on user permissions.
This would enable documents in a variety of formats (Excel spreadsheets, Word, PowerPoint and Acrobat files, and others) to be created and secured, with different rights assigned to different users or groups of users. A basic default would be to ensure documents can only be read by authorised employees.
This two-stage approach to managing data and preventing losses closes off the most common data breach vectors, while communicating and enforcing the organisation's security policy to employees by entrusting them with some responsibility over their actions.
This also gives organisations an opportunity to reinforce their trustworthiness with stakeholders. After all, good business has always been a matter of trust.
Terry Greer-King, is the UK MD for Check Point, a leading Internet security company.