Data Security - It's a responsibility, not an option...

Wednesday, April 07, 2010

Ian Barrs


"We need to talk about security, it's becoming an issue." 

This is a line that would draw a blank on many a CEOs face, even today.

"We've got strong password policies, and no-one's allowed to use USBs", the CEO may burble.

If that's your last line of defence, and you merely trust people to follow the rules, you're heading for trouble. With even the strongest password discipline, if your laptop came into my hands, I could be into any account stored on that machine within 90 seconds. Most IT professionals could. 

I've worked with companies who have had administrators leave, and they've needed to recover the passwords - there are non-nefarious reasons for many skills and tools. Likewise, data isn't normally lost through any mal-intent. They never meant for it to happen, they just thought it'd be OK.

In most organisations, it's a long time since the IT field was raised from the laughing stocks, and the begrudged space in the basement. 

Business has generally embraced what IT can do, and how it can best use the seemingly endless wealth of new applications and services, offering new capabilities, new ways of doing business, easier and cheaper access to customers, and a more mobile and profitable workforce. 

However, the way the business responds to IT requests depends greatly on the driving force behind them.

When it comes to technology changes and new systems in the Sales & Marketing division, the chances are that the users or the business unit itself has initiated that particular piece of work - they stand to gain from it, and as is the nature of such personalities, they are eager to get the deal done once the decision is made, per say, and so the driving force behind the project is generally entwined with the powers-that-be. 

When it comes to Support, it's a bit more difficult. While the reason for change may have come from the business itself, most often in Support, it is the users - and sometimes customers - who request the change. Depending on who stands to gain, and who initiated the request, there are chances that you'll come up against a bit of resistance. Due to the nature of business cost models, in a lot of cases the Support departments are not considered profitable, or the value of their service to the business is misjudged, and so costly changes are seen as not having a sound financial business case.

With great power, comes great responsibility. 

When it comes to internal IT Security and all it entails, there's a definite sense of the laughing stocks days; amongst technicians it's well versed that it's somewhat seen as a hindrance, and thus ignored and brushed under the carpet, until it becomes a direct problem. 

Frankly, in a lot of cases the problem also stems from a lack of a sense of responsibility from IT staff and administrators.Further up the chain, often the people with the most sensitive information and the most reason to protect their computing equipment, such as the CEO, CFO, CTO and other senior managers, are under the impression that they shouldn't be subject to the same controls as the rest of their staff, that they are somehow more responsible, and less likely to break the rules, make a mistake, or experience loss or theft. 

These people often find it quite offensive if you suggest it's for their own good as well as the company's good, and peremptorily order you to do as they say. The likelihood is that the director in charge of your department is going to back up his boss on this, and so you're left with little choice. I have personal experience of this, in more than one company. Frankly, some of them know they'd fall foul of the new policies themselves. 

The troubling thing is, while this attitude is most abundant amongst SMBs and charities, there are also a proliferate number of Large and Corporate businesses, Local Authorities and Government bodies and agencies that are proving themselves to either pay lip service to their own policies, or to simply not have a responsible enough policy, neither written nor architectural, to protect themselves and their customers against data loss.

Data Security is not an option, and should not be considered a hindrance

Take this scenario; You've got budget for upgrades, and thanks to some great new cloud-based solutions and some fabby open-source projects, you've decided to migrate your HR system and combine your CRM and Sales & Marketing databases and spreadsheets into something more manageable. It looks daunting, but you're certain the benefit is going to be immense, and it's money well spent. (At this point, you've probably already put a few internal security suggestions on hold due to a lack of perceived benefit vs cost; also, perhaps they'll involve a more difficult user experience).

You consider all the angles and all the options, run the IT guy(s) ragged making sure everything is up to par, ship shape and hunky dory. One of your biggest concerns is the safety of your data, and the security of the new systems... are they encrypted? Secure location? Backed up? SLAs? Guarantees? so on, and so forth.

Several months later, your Business Analyst rushes off the train - she's late picking the kids up, damned trains - and in the process of loading up the boot, leaves her notebook wallet on the wall. It's such a tiny thing, it's understandable she missed it.

You shake your head when you hear about the loss and then, bemoaning the stupidity of your staff, sign off the PO for a new laptop. End of subject.

If they're worth any money, your IT guys aren't so happy to brush this off. They know the systems, and can see the activity logs of poor Ms BA. She was working on a report that the CRM system simply wasn't capable of running, so being a bit of a Crystal whizz, she extracted the entire customer and invoicing database to a handy Excel CSV file.

That's bad. But there's every possibility it could get worse, it depends on the inadequacy of your local, in house security measures. Those one's that the IT guys might have been harping on about for a while. To be fair, I've met many a clueless "IT Guy", so we shouldn't really point the finger, this is all conjecture.

Imagine all the Excel files you've ever had on your machine, how much sensitive information has entered your inbox. All those archives. All those VPN connections to clients that you checked the Save Password box on; and the pcAnywhere Remote Host Connections. 

All those handy bookmarks, and saved passwords to the online CRM, HR and Accountancy system. All those OneNote or TomCat notes that were just supposed to be temporary, that you never stopped using. The extracts you took, and the Offline Files cache of the company network drive.

Those casenotes, CAD drawings, and contact details. 

Those files you could never stop saving to Desktop, My Documents or the C: drive. Those one's you never backed up.

It's more than a loss of data, it's more than a loss of equipment. It's a loss of time, money, private details and core information that your business relies on. It's forgotten websites, sources and suppliers. Forgotten accounts, forgotten leads. Forgotten enquiries and follow-ups. Lost documents you may never get back again.

Basic data security, encryption and backup is *not* difficult. Enforcing local computer policy to remove the possibility of human error isn't difficult, nor is backing up and encrypting the contents of the hard drive. Setting a PowerOn password is not difficult. Employing a system that can destroy the contents of the hard disk if it's stolen is also not that difficult. You just need to take the problem seriously, and start asking questions.

To be continued...


Update: Since writing this article, there've been updates to the law. From the 6th April, the ICO (Information Commissioners Office) will get powers to fine companies up to £500,000 for breaches of the Data Protection Act. About time, say I. Perhaps this will encourage companies and boards of directors to impose tighter security and tougher measures - but it's still a ways off, and there still needs to be a broader understanding and acceptance of what needs to be done, I believe. 

Read The Registers piece on the new measures here;


Ian Barrs, April 2010

as originally posted on; 

Possibly Related Articles:
Enterprise Security Security Awareness
Enterprise Security Security Awareness
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.