Firms should look closer to home for data loss

14 Aug 2008

The recent loss and theft of laptops belonging to both Bank of Ireland Life and the Irish Blood Transfusion Board attracted headlines. But Michael Conway (pictured) of Renaissance Software is still not convinced Irish firms know the real dangers

Surely the negative publicity surrounding the loss of laptops from the Blood Transfusion Service and Bank of Ireland Life has made businesses encrypt their laptops?

Big deal. If you encrypt laptops, all you are doing is making sure there’s a good chance that your business’s data can’t be compromised. That’s only the external threat, most firms haven’t managed the internal threat.

If they are encrypting data, they should be looking at it in a more efficient way. If someone needs access to sensitive data, should he or she have rights to copy it out or email it?

If I have the most stringent encryption, what’s to stop someone just copying the files onto USB and taking them out of the business?

But don’t they have to get into the business first or have access to the laptop?

Most companies just pay lip service to data security and IP (internet protocol) protection. Even when you highlight the risks, threats and vulnerabilities, people say ‘It will never happen to me’, then they panic.

If data is sensitive, then it needs to be encrypted to ensure there’s no way anyone can take it out of the organisation. Businesses should be looking at data in a controlled way, encrypting data that needs to be encrypted, not just laptops.

So would you say the threat to businesses is greater than staff losing laptops or sending disks in the post?

Yes. My laptop has SD slots, Bluetooth, infrared and wireless – and in my office I have an all-in-one printer with more memory slots, wireless and USB. I can take stuff out all over the place.

I recently performed a demo for an organisation where I would stick a standard USB key into a PC with a piece of software on it that would make it suck the last 10 Microsoft documents that were opened on that computer. Someone can access that data overtly or covertly.

This is dead easy for someone to put together. If I went into any organisation with an open plan office – like a newspaper office – posing as a cleaner or repair person, nobody is going to see anything.

I could go around to 10 PCs in one department and suck the last 10 documents that were opened on a number of machines. I could know what’s going on in any department very quickly. If I was a competitor, I could give someone €1,000 to go in and do that. And most businesses would be none the wiser.

So what should firms be doing to avoid such leaks?

There’s technology available to allow a business to shadow important information and for any reason if it is taken away from where it should be, whether by email or USB or wireless hacking, an alert goes out.

In real terms, businesses need to be in a position to follow that vital data, whether it leaves the building on a laptop or other means. There are real threats and real solutions such as remote destruction of data and that is the biggest issue we would have at the moment.

A good example of what can go wrong is where TK Maxx was hacked and significant credit card information on 46.6 million customers was compromised and that was through poor security structures and practices. The thieves sat outside in the car park with a laptop and hacked in through the wireless network.

It comes down to people paying lip service to security instead of really doing something active about it.

By John Kennedy

Pictured: Michael Conway of Renaissance Software

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years