Protecting intellectual property and sensitive information is a major security concern for any business today—especially against the backdrop of workers needing to share documents and files with their colleagues, customers and partners daily. The problem facing IT professionals is that all too frequently these items contain confidential information, mandating the need for effective file encryption. But a good data-leak prevention platform will go several steps further down the security trail than adding simple file encryption to the smorgasbord that modern IT security systems have become—we have found that there is now a pressing need to create a secure platform for co-workers to collaborate.
If you are moving data around on a company network, protecting the information flow is a relatively easy task—with the right technology in place, of course. But the biggest headache that many company IT professionals face is the one posed by removable media. In a smaller-size company, chances are the IT department consists of one or two people—typically assisted by one or more local specialists—and the company chairman/MD makes decisions on which security systems to deploy. The headache for the company, however, is that relying on a single person to understand the nature of the multiple security threats that the modern technology landscape presents is asking for trouble, no matter how knowledgeable that person is in their given trade.
An experienced IT security manager would find it logistically impossible to make all the right decisions and review those decisions regularly, so expecting a chairman or MD to make the right decisions all of the time is a tall order. The bottom line is that much more needs to be done on the best-practice education front when it comes to security and governance in a small company. Even with the best planning and support available, the security framework that the small business has in place may be effective most of the time, but the devil is usually in the details—meaning the security framework needs to be comprehensive if it is going to work well all of the time.
Removable media—in all its forms—is a potential security threat for most companies, as it is a relatively trivial task for a staff member to transfer large volumes of data to their portable media player or smartphone; even the most basic smartphones these days have around 16 gigabytes of data storage, and you can now buy a USB stick with this capacity for around $20. Small wonder, then, that more and more PC users are relying on USB sticks (aka flash drives) and portable media devices to assist them in moving their data around.
Critics might argue that with the arrival of fiber-based broadband services, it is possible to store and move data around in a cloud-computing environment. Unfortunately, the asymmetric nature of modern broadband services—whether copper or fiber-based—means that the upstream speeds are often a small fraction of the data speeds seen on the downstream link. Put quite simply, it can take an hour or more to move a large volume of data into the cloud, whereas a similar transfer can be accomplished in a few minutes using a humble USB stick.
Until quite recently, many businesses did not allow unprotected USB sticks to be used in the workplace, preferring instead to use secure USB sticks sporting encryption and close integration with on-network security technologies. The advent of the 16GB budget smartphone—and, of course, the ubiquitous iPhone and iPad—has changed the landscape significantly in this regard. And with a seven-inch iPad and the iPhone 5 expected to arrive in stores within the next few months, the adoption levels of portable media devices in the workplace will continue to soar.
The good news here is that rather than using secure USB sticks, if we approach the data governance issue from the other side and impose layers of security when a portable device is plugged into the company IT system, we can still control the flow of data. For example, we can employ a set of block, read or read/write options depending on the workstation being accessed, the privilege of the account holder and the security policies that apply to a given business. This approach is particularly important in the modern business environment where people often take their work home with them. We therefore need to develop a security environment that allows them to work from home, as well as to work when they travel.
It’s interesting to note that in today’s business environment, many users are choosing not to take a laptop computer with them when traveling, as they know there will be a computer of some type available to them at their destination. Thus, they can rely on their smartphone to access their email while on the move. When they reach the distant office or hotel, they plug their USB stick into the computer and begin going about their business. The USB stick is a business enabler, so it’s essential that you develop a set of best data-security practices within your organization—and enforce them using on-network security.
Our observations suggest that where best practices are introduced to the security environment in a given business, those practices automatically set the scene for regulatory compliance. Backing up best practices in the security space is the need to enforce encryption at the remote end of a given connection, with enablement being the key. Managers also need to recognize that there are many different types of users—such as the chairman or the worker—in even the smallest of companies. We must enable and control their data, regardless of who they are.
To develop an effective security mechanism to defend the firm’s data in such situations requires that the security to be cost effective, yet it must not interfere with the user experience. The best solution is to implement design workflow into the process. By automating the technology and keeping a grip on the governance of that technology, it becomes possible to save on operating costs for the organization while maintaining the best levels of efficiency and security.
The interface to the security system also needs to be very similar to current system if the company is to achieve stakeholder buy-in to the technology, where all the staff may not understand how the security technology works, but they do understand why it is there. Obtaining such stakeholder buy-in means that staff can handle situations more effectively when things go wrong, with automated systems reporting back to the people in charge what is happening in real time.
If at all possible, the portable media technology also needs to have a “phone home” capability, both to track what is happening to the data while it is on the device in question and also to permit ongoing access to that data. This means that if the portable device does not contact headquarters on regularly, access to the data on the device is automatically blocked and/or a remote wipe is carried out. Although this may sound like overkill for a small company and its trusted staff, managers need to be aware that today’s trusted employee could be tomorrow's competitor; in the event that a staff member is poached, all bets are off on the security of your data.
It’s also worth remembering that the penalties for failing to protect your company’s data are now a lot more than the cost of compliance. Yes, a good security platform will cost money, but far less than the cost of remediating a data breach.
About the Author
Jeff Sherwood is Vice President Americas of Cryptzone.
Photo courtesy of Kontemporat