| Have your most critical documents 'Left the building'? |
| You
know where your Customer list is, right? All your other sensitive,
business-critical, documents and data? Of course they’re on your PC or
server - but where else are they? Have they 'left the building' - would
you even know if they had? This is a key question asked by US security
expert Jack Gold in a recent article: "When Data Goes Missing: Will You
Even Know?" (http://computerworld.com/securitytopics/security/story/0,10801,107967,00.html). This everyday threat has been almost completely off the radar. No sensible business of any size would consider putting it's IT on the road today without the proper protection: Firewall, Anti-Virus, Anti-Spyware, and all the rest that we need to keep safe. Meanwhile we have been blithely ignoring an increasingly glaring problem - a data-highway that is faster than the Internet and has been completely unprotected. The quiet revolution that has brought about the 'iPod Generation' also brings with it a threat that we ignore at our peril - opening the floodgates for a deluge of information leaks and security threats that simply can’t be ignored. It's not just iPods either. Flash memory devices have increasingly massive capacity - up to 4Gigabytes or more - and come in all shapes and sizes - from an SD card the size of a postage stamp (or the even tinier TransFlash card that fits unobtrusively into my phone) through to wrist watches, MP3 players, pendrives and even mobile phones! Including the 8Gb model recently announced by Samsung (http://mobilementalism.com/2006/03/07/cebit-2006-samsung-to-launch-sgh-i310-8-gigabyte-mobile-phone/). They're hard to spot with the naked eye - and virtually impossible to exclude. Not to mention increasingly cheap - with a Gigabyte now available in retail for under £20 if you know where to look (www.ebuyer.com/customer/products/index.html?action=c2hvd19wcm9kdWN0X292ZXJ2aWV3&product_uid=83430). It's a fact of life that many staff members starting a new job, often with a competitor, routinely remove sensitive data from company systems – and they know they are leaving well before you do. In a recent survey 70% of employees admitted taking information from work to which they were not entitled. As Computer Weekly has commented “anyone planning to leave will remove most of the information they want well in advance.” www.computerweekly.com/Articles/2006/03/22/214861/Leavingdoforyourdata.htm The threat has been growing with the take-up and increasing ubiquity of the devices - last year Gartner Research drew attention to this, saying "Businesses are increasingly putting themselves at risk by allowing the unauthorized and uncontrolled use of portable storage devices". “These are ideal for anyone intending to steal sensitive and valuable data. Employees may also be responsible for losing data if they inadvertently mislay these devices. The impact of this goes beyond the commercial value of the data.” So there are very obvious commercial imperatives to tackle this - not to mention important obligations under the UK's data protection act - yet even the most sensitive of data, such as medical records, often remains exposed to this day. CASE IN POINT: A major UK Hospital Trust - Bolting the door after the horse... With a long history consulting in IT and security for the NHS I was unexpectedly approached (having been inactive with the NHS for some time) by a major Hospital Trust who - for reason which will become readily apparent - prefer not to be identified. They wanted to review and tighten security in the light of recent events and had heard that I was working in the area of what has become known as 'endpoint security'. The NHS, as the biggest employer in Europe, is not immune from the problems which can affect any organisation when staff misbehave. Needless to say they have custody of a lot of very sensitive data about patients - not to mention staff. Their network of over a thousand PCs is now protected, and staff are aware that all data transfers to and from each PC are monitored and recorded, and unauthorised transfers are forcibly prevented. With the tools now at our disposal it’s simple and cost effective to prevent this sort of routine abuse – it’s almost criminal not to! Barry James, the UK’s leading expert in the emerging field of mobile applications and endpoint security, will be presenting a seminar for MerIT at International Centre for Digital Content (ICDC) on 31st May. To register call 08700 663 994 or visit www.merit.org.uk Barry can be contacted at barry.james@takeware.co.uk |
| For more information on this news item go to www.takewaregatekeeper.co.uk |