Don’t gamble with data security

William Pound, VP Global Corporate Development at Absolute® Software Corporation, explains how financial organisations can stop sensitive data falling into the wrong hands.

Recent media preoccupation with data theft has pulled IT security to the top of the corporate consciousness. Stories about sensitive data stored on missing mobile devices are constantly hitting the headlines – a recent example being Suffolk District Council, where a laptop containing the personal details of 3,000 people was stolen. In many cases, laptops – and the data they contain – have been lost as a result of human error. No matter what the circumstance, the idea of confidential data getting into the wrong hands is enough to strike fear into any finance professional – especially in the current economic climate, where one fine for data loss can be the difference between surviving and buckling under the pressure of recession.

In many cases of breached data, the compromised computer has security measures, such as encryption and passwords, in place. However, these precautions are rarely enough to fully protect the highly-sensitive data the devices contain. For example, according to Gartner, 70 per cent of laptop thefts are internal, meaning that the person stealing the laptop, and the information it contains, almost certainly holds encryption keys. If an unscrupulous individual does manage to access the data, the repercussions of losing the mobile device could be far greater than the cost of a laptop.

The data contained on a laptop is in most instances worth far more than the computer itself. According to research by McAfee and Datamonitor, the average laptop holds data valued at £550,000, and some could store as much as £5 million in commercially sensitive data and intellectual property.

Making sense of your assets
The key to protecting your mobile devices is efficient asset management. In an ideal world, businesses would know exactly where all mobile devices are, and who is using them, at all times. Unfortunately, this is rarely the case as employees use more mobile devices than ever before – and keeping track of them becomes increasingly difficult.

One of the toughest challenges facing IT departments is to understand which devices contain data that needs to be secured, who has them and where they are. As the world becomes ever more mobile, it is near impossible for IT departments to keep track of their assets at all times without secure IT asset management software in place.

Organisations, particularly those in the finance industry where the data in question is financial, need to take responsibility for the data on their mobile devices. This information is most often linked to customers or partners, thus the effect of a breach will not be felt solely by the organisation itself. To take responsibility, there needs to be set policy and traceability.

If an organisation has the ability to track down a missing computer, it can then take action to get it back or delete the sensitive data remotely. Without traceability, there is always the risk that any missing data it contains will turn up somewhere it shouldn’t.

Encryption limitations
Some organisations mistakenly assume encryption is all that is needed to protect their data. Although data encryption solutions are useful tools, they can easily be disabled or used incorrectly – if at all – by employees. When used alone, encryption can in no way guarantee that data is secure.

Research from the Ponemon Institute recently revealed that 50 per cent of (non-IT) business managers polled chose to disable the encryption solution on their laptops. It also revealed that 65 per cent of business managers either keep a written record of their encryption password, or share it with others in case they forget it. Both of these revelations significantly increase the risk of data and identity theft.

It is not just external threats that organisations need to worry about. A disgruntled employee with access to encryption passwords can easily obtain and abuse confidential information. This particular threat is on the rise as more and more staff find themselves being let go – sometimes taking their laptops with them.

Organisations that do not have a method for preventing internal theft, or recovering missing devices, leave themselves vulnerable to having critical information compromised. Encryption is powerless to protect hardware from theft and does nothing to help police track down stolen devices. Therefore, having both preventative and reactionary measures in place is absolutely vital to data security.

Prevention – better than a cure
As more and more employees travel for work, it is understandable that devices may sometimes go missing – up to 900 laptop computers are either lost or stolen at Heathrow Airport on a weekly basis.  It is therefore essential that employees understand their company’s security policies and how to comply with them.

The key is to keep it simple. Basic steps range from the obvious, such as not leaving laptops unattended; the tactical, installing anti-virus software and firewalls; to the strategic, implementing asset tracking and recovery software to track and recover lost or stolen computers, and remotely delete sensitive data.

Even with security policies in place, it can be very difficult to ensure that every single member of staff adheres to them at all time. Some of the most recent high profile data loss incidents have been caused by either unauthorised staff making the wrong decisions or negligence.

However, even if one of your organsitation’s laptops is lost or stolen, there are still ways to prevent your sensitive data from falling into the wrong hands.

Returned to rightful owner
IT asset tracking and recovery software should be considered an essential business tool for any industry. Such software tracks the location of lost or stolen computers, facilitates recovery, and ensures that the threat of exposure is minimised and contained. Introducing centralised IT asset management also means that the onus is no longer on the end-user. Instead, responsibility lies with the business itself. Certain software also offers the ability to remotely cleanse any sensitive or confidential data from compromised machines. In short, the software keeps confidential information confidential – even if a device falls into unauthorized hands.

Some software companies offer extra services to help put an organisation’s mind at rest. Absolute Software, for example, offers its subscribers the services of the Absolute Theft Recovery Team. Upon receiving a report of computer theft, the team works directly with law enforcement around the world to track the stolen computer and return it to its rightful owner.

Data security should not be left to chance. A multi-layered approach to security that includes encryption and addresses regulatory compliance, data protection, computer theft recovery and asset management will protect sensitive data and provide assistance should a device go missing.

The financial industry – perhaps more than any other, given the highly sensitive nature of its data - should take advantage of all available services and technologies. Beyond the costly repercussions of data breach penalties, fines and litigation, the reputation damage caused by leaked data could be catastrophic, especially in the current market where companies are battling with each other for what little business there is. It is vital to ensure that customers know that any sensitive data concerning them is viewed only by authorised eyes.