The Importance of Data Protection

Daan-Jeroen Hakkert, EMEA Channel and Business Development Manager for McAfee Data Protection, gives his opinions on the significance of data protection.

BM. Data protection is currently a huge focus for companies worldwide – but many are still not doing enough. Why do you think this is? And what risks do the unaware need to be made aware of?
DH. Despite the recent spate of security breaches, IT security is still not being taken seriously, IT budgets are still not focused on the issue and shockingly some companies are still lacking any firm policies. Businesses really need to start asking themselves where the real IT security threats lie and implement policies that will mitigate the risk of losing data

The biggest threat to corporate data is the employee. Many employees still connect external devices to the network and transport unencrypted data on USBs and other mobile devices. Having a policy in place to prevent this is simply not enough. It needs to be accompanied by education and clear communication around the policy itself and the consequences of a breach. All too often we see IT managers relying on passive methods of communicating policy (e.g. memos, internal newsletters and emails). In effect, IT security adherence is being based on the hope that employees read the document sent to them, which is often not the case. This is putting corporate data at great risk.

BM. What’s your view on the current state of data protection in the Middle East? Is there enough focus on the key issues, or does more need to be done?
DH. Human ignorance is a key factor placing data at risk and little is being done to rectify the situation. In today’s business environment, information is power and the price placed on corporate data is immeasurable, especially in the fast growing global economic hub that is the Middle East.

C-level managers need to realise the risks and develop strategies and communication methods to mitigate the risks and keep their company data secure. Companies must take more proactive measures to educate their employees to understand the implications of security and the consequences if safety is breached or compromised. Businesses need to show more common sense.

The Middle East needs to develop a holistic approach to security and the reporting of data breaches. This will provide more focus on the serious issue and give direction to companies lagging behind in the security battle. The Middle East should look to the US; since 2003, Californian law has stipulated that all companies must report identity theft and inform individuals of the fact that their personal data has been stolen or lost. Other states have followed in their footprints. Legislation of a similar nature should certainly be a key consideration and firmly on the agenda. Without the legal requirement to report security it is further down the CEO’s agenda, leaving corporate data at huge risk.

BM. What would be your main advice to IT executives regarding the protection of sensitive data?
DH. There are many ways to protect sensitive data. For example, there are strategies that instruct users to not store data in certain areas of the network or on mobile devices and home computers. This strategy, however, leaves the decision to comply or not with the end-user and limits the users’ day-to-day operations. Companies in today’s economic and business climate prefer not to have this as a solution, in part because history teaches that this is neither trustworthy, nor totally effective.

A more effective way to secure sensitive data is to put technical measures in place, specifically devices and content-based data encryption. When correctly designed and implemented this can secure data very effectively without interfering with end-users’ day-to-day operations. Even more importantly, it can enforce policies upon the end-user, ensuring compliance.

Accepting laptop or identity theft as part of life does not mean that all common sense is thrown out of the window. Protect, educate and encourage: these three things will help workers to understand that the danger can be avoided if there is just a little more common sense and less apathy. It is not acceptable to lose a laptop that could cost a company millions of pounds and no one would let someone have complete access to their personal information, so why would they at work?

BM. It seems that most data leakage is the result of carelessness or poor business processes rather than the result of theft. What technologies are available to help companies protect themselves from themselves?
DH. In 2007, Gartner reported that IT security over-protects the wrong assets, over reacts to the unexpected and over spends. Security 3.0 is here; a clearer eyed approach to risk management that applies resources appropriately and moves away from the ‘bolting on’ that’s ruled our approach to security for too long.

Repeatedly we hear of threats relating to people hacking into networks. The reality is that hacking is a complex process that requires intricate timing. Of course this is a possibility and cyber criminals are evolving with the security developers, but a bigger threat comes from mobile devices; data theft from a mobile device left in a taxi or on the tube is an easier target and has the potential to leak much more information.

We need to start making investments based on risk calculation. The likelihood of someone leaving an unencrypted mobile device such as a USB in a café is becoming a far more serious threat.

As such, safeguarding information on all kinds of data media should be placed higher on the agenda. Businesses should realise that data is the nucleus of their operations and therefore should be treated as such.

BM. McAfee have reported that in recent years cyber attacks have become more sophisticated in their nature, progressing from initial curiosity probes to well-funded and well-organised operations for political, military, economic and technical espionage.  Will cyber attacks eventually replace conventional warfare?
DH. Cyber criminals are getting more sophisticated and targeted in their attacks and Governments and allied groups worldwide are using the internet to spy on their enemies, target critical systems, financial markets and government computer networks. Attacks have progressed from initial curiosity probes to funded and highly organised political, military and economic operations.

The internet is a great tool for gathering intelligence. A recent example was China in 2007. China was accused of launching attacks against the US, German and Australia. And China was not alone in its web espionage operations.

However, cyber attacks will not replace conventional warfare, but instead be an extension to it with countries using the technology in all operations. Governments are bound to license cyber criminals to attack enemies, for example state sponsored malware.

BM. It has been said that the Middle East is currently experiencing a data explosion. What is your experience of this and how can you help firms manage and protect their data in this situation?
DH. The Middle East is increasingly becoming a global economic hub and this has consequences for data. In recent years we have seen an explosion of data being produced and stored in the region and companies really need to start getting smart with safeguarding it. Loss of data can have colossal financial implications, not to mention the embarrassment it brings to a company.

Today, data is globally at risk of loss and exposure. Preventing accidental or malicious loss of your critical data is not difficult. It is possible to protect this sensitive data with end-to-end security using tools such as encryption, authentication, data loss prevention and policy driven security controls.

Daan-Jeroen Hakkert is EMEA Channel and Business Development Manager for McAfee Data Protection. Hakkert expanded the company’s reach in the Middle East and African market by identifying new market opportunities. He plays an important role in the business development of channel sales in EMEA, with a focus in the Middle East region.