Companies are under more pressure than ever before to ensure that when it comes to protecting their lifeblood – their critical corporate data – no protection can be too much.
And that includes data wherever it is held – on mainframes, PCs, laptops and handheld devices. The upshot means that issues such as encryption and access control have become more important than ever before, as without this protection in place some companies will find they either cannot get insurance cover, or can only do so through exorbitant premiums.
In fact getting insurance cover to protect data on wireless devices is still very much in its infancy. Most insurers and corporations have not yet recognized the greater and increased risks caused by changes in working practices. Now, more employees are accessing corporate data from home or on the move, from laptops and handhelds.
Companies will need to start considering how they can control the environment of the employee working at home, just as they control it in the office. This is more important than ever before with the recent crop of handhelds such as the Pocket PC, which has a memory capacity of 64Mb often as standard, expandable up to over 1Gb. This enables individuals to access, download and store up-to-the minute information from corporate databases, Powerpoint presentations, and Excel spreadsheets. Therefore, they become ideal personal computers for work use, and yet if they are stolen or lost and do not have adequate encryption, access control or anti-virus software, they can seriously compromise a company’s security, legal and financial position.
So if you cannot adequately insure against information security breaches, then what else can you do? For companies who need to ensure that their data never gets into the wrong hands, encryption and access control is one of the best methods of protection.
Gone are the days when PDAs were just ‘toys for boys.’ They are serious communication tools for workers on the move and with this increased popularity and power, they need to be incorporated into the overall corporate security strategy, otherwise they can pose a security threat to the corporate network and become a time-bomb in the pockets of the corporate worker. With appropriate security and policy controls mobile devices can be a cost-effective option for both the employee and employer, providing the same freedom and advantages that the laptop has provided in recent years.
Many specialists associated with risk management – from directors to lawyers and even insurers themselves are now re-reading their insurance policies to make sure they are adequately covered – with many finding that they are not. According to Stephen Reid, managing director of insurance brokers, Marsh McLennan, there is no standard when it comes to the protection you can give your business. It is now commonplace for underwriters to judge companies on a one-off basis.
By adopting measures such as encryption and access control, even on your employees’ handhelds, then you are demonstrating a commitment to the security of your business data. Once upon a time, such an approach might have gained you discounts. Now, it may only guarantee you an insurer’s business.
“With such massive losses over recent months, insurers will be very wary about whom they insure. The more effective security you have, the more likely you are to get insured,” said Reid.
Encryption and access control to corporate data have become more important as computer crime – and the associated risks to corporate data – gets worse. The 2001 survey by the authoritative Computer Security Institute found that in all, computer crime cost companies $377 million, including $151m on the theft of proprietary data, $92m from financial fraud, $45m from viruses, and, demonstrating the risks from portable data, around $9m from the theft of laptops. Over a five-year period, the total sum lost through computer crime, was over $1 billion.
It is only a matter of time before those statistics reflect data held on handheld systems too, especially as corporate data sits well onto handheld devices. According to IDC, worldwide shipments of handhelds will increase at a compound annual growth rate of 39 percent from 13.6 million in 2000 to 70.9 million by 2005.
According to Margaret Smith, director of business information services at Legal & General, the time will come when companies will start buying handheld computers for their staff, simply because that means they can control access to the data on them through encryption. Currently, handhelds used by employees tend to be their own property, and so there are few safeguards in place for any corporate data resident on them.
“The big issue on handhelds is that they usually belong to our employees, and therefore we can’t mandate how they use them. But, even email resident on handhelds can contain important corporate data from which you can get a picture of the company’s business. If we bought handhelds for people, we would have to think about encrypting the data. We live in interesting times.”
So, as data moves on to smaller and smaller devices, what safeguards must be in place to prevent the loss of such corporate data?
Adopting a three point ‘protection triangle’ to security is vital. The first is to ensure that systems are physically secure. That means adopting issues such as encryption and access control, particularly on portable devices such as laptops and handheld devices. The second area is to put legal safeguards in place within the company over what access to data employees can have and how they should use it. The third – money – comprises financial issues and cover, such as insurance, safeguarding the financial risks caused by the loss of data.
Risk analysis, perhaps undertaken in cooperation with a specialist consultancy, is necessary to identify appropriate levels of security for the various elements of the system or process. Once this has been completed, then technical design work can start on identifying suitable products and technologies to implement that level of security.
In today’s current climate, now, even getting the insurance support depends on putting the other elements in place. The legal safeguards should be part of a fully-fledged security policy, which is a prerequisite for every major company. That leaves putting the practical security – including the encryption and access controls – in place.
Adopting these security controls is just as important as it has ever been. Simply having them on the ‘to do’ list is just not enough.
Magnus Ahlberg is managing director for Pointsec Mobile Technologies Ltd (www.pointsec.com) who develop and market security software for PCs, laptops, PDAs and other mobile computing devices to enterprise clients. He may be contacted on email@example.com.