The ‘Chicken Or the Egg’ Security Conundrum

Looking at how organisations are playing dangerous games by not instigating mandatory security protocols and how employees continue to bask in ignorance.

2007 was a vintage year. Not necessarily for wine, but for security stories. It was the last six months that were particularly prevalent with a steady number of security breaches hit the headlines, mainly out of government. 2008 is not different. Each breach seemed to follow a common theme – employee errors and poorly communicated security policies.

In each case, the government had laid out stringent security policies but workers either knew nothing about them or blatantly ignored them. Either way, the end result was disastrous and worryingly all signs points to an integral problem facing the modern organisation – the ‘human factor’. How does one enforce a culture of secure data management?

What happened to common sense?

Clearly common sense should dictate that an employee does not take a laptop, PDA, USB stick or any mobile device off-site with unencrypted data on it. This action is tantamount to going to the shops and leaving your car door open. Yet as stupid as this seems, it happens every single day.

With the explosion of mobile devices and their increased storage capacity the mobile threat is growing. This threat is driven by data availability. Copying information from a secure network onto a mobile device is a clear way of inadvertently making data available to users. However workers leave the office with sensitive information on their mobile devices and that data becomes an open target for criminals.

So why when it is so easy to understand the threat do we see this happening over and over again? It’s a puzzle, especially as recent research found that 82 per cent of companies have a security policy in place.

‘Human factor’

This puzzle goes some way to being solved when you look at employee behaviour. A survey of 1,000 IT managers highlighted employees as one of the biggest threats to data leakage. When put to the test, IT managers felt that over half of all employees (54 per cent) ignored security due to a lack of understanding or not taking it seriously. This statistic is even higher in the public sector, with 80 per cent ignoring policies (McAfee Data Protection, 2007).

Companies acknowledge the fact that workers will continue to disregard protocols and take sensitive information out of the office on unprotected devices (i.e. personal PDAs). But what are they doing to tackle the issue?

Education

There is a serious disjoin in thinking and communication. Human ignorance is still playing a huge role in placing data at risk and little is being done to rectify the situation. In today’s business environment information is power and the price placed on corporate data is immeasurable. It’s not just a question of where the risk is, but who should take responsibility. C-level managers need to realise this and take proactive steps to mitigate the risks through educating all of their employees.

Not all employees can be security experts, in fact a very small percentage are. As such, more time needs to be taken to explain security policies more fully or face the risk of sensitive corporate data being lost. More emphasis must be placed on ensuring that employees know how to adhere to security policies and it is up to senior managers to make sure this happens. 98 per cent of IT managers rely on passive methods of communicating policies to their employees, such as memos (34 per cent), emails (29 per cent) or internal newsletters (18 per cent). In effect, IT security adherence is being based on the hope that employees read the documents sent to them, which is often not the case.

Businesses cannot hold their employees completely accountable if they have not provided proactive education, giving an understanding of the implications of ignoring policy and laying down exactly how the security works. This should ensure security buy-in from all employees.

Technology implementation and Encryption

So, common sense, combined with education should go some way to mitigating the risk. However, the main concern is that more often than not the data leaving a work place is not encrypted as per the company’s security policy. Having a security policy in place is all well and good, but it needs to be implemented by IT managers and C-level executives.

An effective way to secure sensitive data is to put technical measures in place, specifically device- and content-based data encryption. When correctly designed and implemented, this can secure data very effectively while not interfering with end-users’ day-to-day operations. Even more importantly, it can enforce policies upon the end-user to ensure compliance.

Conclusion

Of course having a policy in place and educating employees cannot offer complete safety, but communicating policy properly to all employees and making data security part of the culture of the businesses is a big leap in the right direction.

Protect, educate and encourage: these three things will help workers to understand how the danger of data leakage can be avoided if there is just a little more common sense and less apathy. It is not acceptable to lose a laptop that could cost a company millions of pounds, and no one would let someone have complete access to their personal information, so why should they let their organisation’s data be so readily available?

Hopefully, 2008 will not prove to be such a vintage year if these measures are adhered to.

McAfee Data Protections top security tips:

1 – Tablet PCs, laptops and desktop PCs should always use Full Hard Disk Encryption to protect all data stored on them – failure to do so is like leaving the keys in your car ignition!

2 – PDAs are easy to lose and steal, so better be safe than sorry. Make sure you use PDA Encryption to protect sensitive data stored on your PDAs and its removable media cards.

3 – Corporate networks are alive with ‘illegal’ devices, such as iPods, personal PDAs and USB sticks. Ensure that Device Control software is deployed to control these devices and their accessibility.

4 – USB sticks are great for storage, but are a security nightmare – they can be used for corporate espionage (extreme case) or easily lost. Use hardware encrypted USB data storage devices to protect sensitive data and keep your company safe.

5 – Finally, file servers are at the heart of any business. Protect and control the data stored on your file servers by using group and user based persistent File & Folder Encryption.