Halifax Insurance claims that a phone is stolen in the UK every 12 seconds, and mobile phones are stolen in 40% of UK robberies. Pointsec says that in the six months before November 2006, Londoners left 54,874 phones, 4,718 PDAs, 3,179 laptops and 923 USB memory drives in taxis. Any or all of which could have catastrophic repercussions for an employer if the devices contain sensitive or confidential information.
And if companies are not taking their responsibilities sufficiently seriously, the UK’s authorities are: Nationwide Bank, for example, was recently fined almost £1 million for not protecting customer information adequately. A laptop with confidential customer data was stolen from a Nationwide employee’s home. He reported the theft, but did not tell his employer what was on the computer until after a three-week holiday. Nationwide argued that as PINs were not included in the stolen data, there was no security risk to its 11 million customers.
The Financial Services Authority disagreed.
Banks and financial institutions tend to invest more heavily in physical security to protect their assets than in IT security controls, with even the best protected often failing to maintain an effective security configuration. Information must be secured against all potential means of compromise, regardless of where the information resides – data centres, on a laptop/PDA, or on storage media (including tapes, VDV/CDs, and memory sticks).
The only way to factor in all the potential risks is through a thorough risk assessment that ultimately results in an all-encompassing, enforceable security policy.
Most risk assessments are superficial and do not understand the technology in use, its role in the business, or the implications of its misuse. Mason encourages its customers to consider the risks of every environment in which their data could be used and stored.
There is a formula that defines risk as being the likelihood of a problem occurring and the impact level if it happens. Mason uses the scheme put forward by the UK’s e- Government Unit to produce a meaningful assessment by grading the levels of potential threat, and the vulnerabilities and impact levels. Mason drills down into the implications, assessing three aspects:
- Confidentiality – ensuring access to data is authorised
- Integrity – ensuring no one can tamper with the data
- Availability – ensuring the data is accessible when required.
So, for example, we look at where devices with confidential information will go and how they will be physically secured – in a car boot, a safe? If the physical protection is overcome, what then? Is the impact sufficient that encryption should be deployed on the laptop, say, so that even if it is stolen, it is of no use to thieves?
Security measures must be underpinned by training staff and making them aware of the dangers. Unfortunately, such training rarely includes senior executives or people who have been in their jobs for a long time. Arguably, they are the biggest risks of all.
Certainly many companies have undertaken risk assessments in the past, but the proliferation of portable devices and their much larger memories, as well as substantial wireless connectivity (3G/GPRS, WiFi, Bluetooth), and the rise of homeworking, means that data is on the move in a way never before experienced in business.