Protect your network – fight off espionage

Data thieves and industrial spies have many faces. Sometimes they pose as trainies joining the company to get work experience, to smuggle confidential information out. Sometimes they steal notebooks on which confidential data is not properly protected, or hack into the corporate network. Or else they are staff who, without knowing what they are doing, take secret documents out of the company. It is not unusual for this kind of confidential information to end up in a competitor's company. And the best means of prevention? a well-planned mixture of powerful encryption and IT security solutions combined with a plan to increase awareness of directors and staff, and rules to control how they act, can enable companies to protect their corporate network from internal and external threats.

There are so many different suppliers and solutions that it's sometimes hard to know which one to choose. After all, every company has its own special security requirements. Still, one thing is the same for everyone: you should be able to install your new security solution easily, and without any problems, and it should integrate seamlessly in your existing IT infrastructures. In any case, it would be even easier if all the devices in your corporate network were safeguarded centrally with one security suite. No matter where information is saved or who it is being exchanged with, that security solution will then secure data on mobile and stationary end devices, on mobile media, servers and in e-mails. With this kind of software solution, for the first time, companies can implement security guidelines simply and effectively, on all mobile and stationary devices across the company, to meet compliance requirements. The need for action has grown considerably. For example, the consultancy PriceWaterhouse Coopers, in their most recent 2-yearly study of Global Economic Crime , revealed that many companies don't have adequate protection against fraud, embezzlement, theft or cyber crime. The latest study in 2005 revealed that, in comparison with the survey in 2003, the number of companies that had become victims of economic crime had risen globally by 8%. A staggering 45% of global companies were affected. On average they suffered damages of US$ 1.7 million – a 50% increase over 2003.

Employee awareness is the be all and end all

But how can companies protect themselves against threats from the Internet or even from among their own ranks? The first step should always be to tell every member of staff about sources of risk, raise their awareness about security, and tell them what they can do to protect the company. So which data must be protected? What are the potential threats? Where are the weak points and how can they be better protected? If security software or hardware is being used, it is essential that members of staff understood and accept it and that it does not affect their everyday work flow. Only a company that is well informed about the possible dangers and loopholes that might be exploited by industrial spies can take effective countermeasures against them.

360-degree data protection instead of one-time encryption

A look across the Atlantic demonstrates in figures the different status of data security in comparison to Europe. In the US, enforced by legal regulations such as the California Senate Bill 1386, which is followed by more than 20 US Federal States, the public has to be informed about hardware losses and data theft or abuse at any company which processes data from US citizens. This also applies to foreign companies based in the US. Every month in the USA six million items of personal data, including credit card numbers, social security information, medical data and addresses that were originally stored in accordance with legal regulations, ended up in the wrong hands. As the recent case of US retailer TJX shows who suffered a 45.7 million credit- and debit card fraud, the largest theft of credit card numbers so far.

The six million estimate was made by Phil Howard, Professor of Communications at the University of Washington who evaluated reports about incidents of data misuse between 1980 and 2006. Hackers were involved in around 30% of the 550 confirmed incidents. However 60% were due to carelessness on the part of the company or organization involved, for example when hardware was lost or stolen. A professional encryption system would have prevented this loss despite these thefts, and stop any possible threat in its tracks, because thieves have no way of accessing confidential data on an encrypted laptop. Built-in security solutions or simple authentication do not provide sufficient protection here. Instead, if a company sets down which communications paths are to be handled as confidential in its company-wide security guidelines, and decides to implement a multi-platform, fully integrated solution, it can be sure that its confidential data is protected from thieves anywhere and at all times. There are security solutions which protect data on mobile and stationary end devices, on mobile memory media, on servers or in e-mails with one single application which can be administered from one central point. In addition to this, this method of data protection can also be proven by third parties (i.e. auditors).

No access without an individual key

What is needed is a security solution that only lets authorized user groups access sensitive data, across an organization. In this situation, although in-house system administrators or personnel from an outsourcing company can manage the data, they have no way of accessing confidential information. The security guidelines define specific access rights for working groups or individual users and set down who is permitted to read confidential data in plain text or who only gets to see it as an encrypted, unreadable string of characters on their monitor. This highly effective protection doesn't even have to be complicated. Nowadays, the latest high-performance, modern multi-user security systems run transparently and invisibly in the background. They safeguard confidential documents, financial documents or secret design blueprints against any unauthorized access.

Multiple authentication and separation of roles

In their recent study "Computer Crime and Security Survey 2006" the American government bodies the CSI and the FBI have split the incidents of data misuse and data loss into four categories: the greatest damage reported here is due to viruses and trojan horses which are responsible for more than 15 million dollars of losses. In second place are cases of data misuse resulting from unauthorized users accessing confidential information. American companies suffered losses of 10.6 million dollars as a consequence. The theft of laptops and other mobile devices caused damages of over 6.6 million dollars. In fourth place was the theft of confidential and personal information which led to losses of 6 million dollars. Any company that wants to safeguard itself and its staff against situations like these should take care that its data is not only encrypted but also stored in multiple locations. This additional protection can be provided by using multiple authentication involving a combination of a secure password and a smartcard token or even biometric technologies. An additional layer of security can be added by separating the roles of system administrator and security administrator. This allows a system administrator to continue managing their system in the usual way but prevents them from decrypting files because the keys required to do this are managed by the security administrator. They, in turn, cannot access the stored, encrypted files. Individual access rights are defined by the security administrator. This means that each user is assigned a unique "key ring" (key group), on the basis of their profile, with which they can read the released files in plain text, in the normal way. This therefore protects system and security administrators from being accused of spying on company data, if there is a suspicion that they have been doing so.

Loopholes in e-mail communication

It is hard to imagine how we could carry out private and commercial communications without e-mails. Nevertheless, although it is theoretically possible to encrypt and sign confidential mails using the e-mail client, this doesn't usually happen, either because of time pressure or simple lack of knowledge. As a result, members of staff who are unaware of this function may allow secret company data or formulae to reach the wider world, or even competitors, in an e-mail. Powerful mail gateways can prevent this from happening. Professional solutions integrate the cryptographic processes involved in encryption/decryption, and also in electronic signatures and authentication, at one central point in the corporate network. These security solutions are transparent for the sender and automatically implement the company's internal security guidelines for e-mail communication. Senders and recipients can communicate via e-mail in the usual way without having to worry about the confidentiality of the contents. The latest generation of gateways also have an additional special PDF function that converts encrypted e-mails into a PDF document together with their attachments. The benefits: the mail recipient requires no additional encryption software. If they have the right password the recipient can view the encrypted data on any stationary or mobile device with a PDF reader, such as Adobe Acrobat Reader, and even reply to it, confidentially.

If company PCs are safeguarded by encryption solutions like these, they are fully protected against commercial and data espionage. Cost-effective and easily implemented software is also available for medium-sized companies so they too can protect their research and development plans, marketing campaigns, special offers or customer data from anyone who is not meant to see it. For, once data is lost or spied upon, it often means that the company's image is seriously compromised. Knowing that data is secure relieves this concern and also helps establish relationships with members of staff on a basis of mutual trust. When encryption software is used there is no longer any reason to suspect in-house staff, outsourced personnel or trainees. This builds confidence and makes everyone's work easier.

Further tips on how to protect your company against industrial espionage are also available at http://www.utimaco.com/toptips.