More than 3000 years ago, a major "CEO" named Solomon wrote, "He who covers his sins will not prosper. But whoever confesses and forsakes them will have mercy." And it seems recently that many of our business and government leaders are discovering religion. Or at least they are learning some of the lessons that the same CEO wrote, namely, "There's nothing new under the sun."
So with a glut of admissions to the loss of confidential data it seems that "confession is good for the soul." However, as always, everyone looks for someone else to blame. So is it an outsource company that lost government data in the UK, or a service company that list credit card data belonging to a bank? Somehow it always seems to be somebody else's fault. So, just as confession is good for the soul, it seems that not accepting responsibility is also par for the course.
Time to market is so vital to so many organizations today and getting the right information to the right person at the right time is the key strategy for business success. We live and work in a world that demands instantaneous response to every demand, and the total reliance on technology to deliver has meant that increasingly we are relying on individuals, services, infrastructures and organizations that are not under the control of the business. And as vital as it is to get the right information to the right person, it has become increasingly vital to stop this information from getting into the wrong hands.
Although many may be suspicious of surveys, and possibly question the accuracy of the results, the fact remains that data theft and data loss is endemic across all sectors today. Weekly reports of theft from financial institutions such as LGT, theft of confidential data from companies such as Dupont, and governments' misplacing all kinds of personal data are likely only the tip of the iceberg. The reality is that in the majority of organizations today, there is little or no control of highly sensitive data. IT staff are allowed uncontrolled access to systems containing sensitive data, the data is frequently unsecured within the organization, and there's a lack of control of how data is moved both intra- and inter-company.
The failure of organizations to police themselves effectively is resulting in an ever growing list of regulatory legislation. As in every walk of life, government and institutions are increasingly responding to the apparent inability or unwillingness of organizations to police themselves by compelling enterprises to comply with regulations such as Basel II, SOX, PCI/DSS, Euro SOX, HIPAA, etc. But this is also an acceptance of the reality that many organizations are not protecting sensitive data as well as they used to. What used to reside in the locked cabinet in an accountant's office is now saved as a file on a server, which may even be outsourced; what was kept in physical safe for security is now emailed from place to place with little or no thought of the consequences or the security.
Many organizations have failed to apply their traditional business security policies to a changing world where data moves electronically. Information owners are no longer in control of their information, and the lack of communication between business and IT in most organizations has resulted in a breakdown of security and confidentiality. Decisions related to how data is handled is frequently taken in isolation by IT, without adequate consultation with business unity and too often efficiency and expediency win out over effectiveness. Recent examples of USB sticks, CDs, and tapes either being lost or stolen point to our tendency to adopt technologies and allow their use with little or no thought of the consequences.
When one analyzes the data breaches over the past few years, the common denominator in most, if not all, is a failure of IT either to control access to systems from privileged users and accounts or to control what privileged users have access to. Much of the responsibility has to rest with management who has consistently failed to enforce policies. Many organizations have policies in place that stipulate that privileged account passwords must be changed on a regular basis and yet it is frequently the case that these policies are not enforced.
Add to this that that IT security has focused on infrastructure protection and today, in spite of multiple layers of protection, sensitive data is constantly being exposed. Authorization has largely been ignored to the extent that in many organizations more than half of all accounts have full authorization to view sensitive data.
Or consider the volume of data that is exchanged between information systems on a daily basis. At the very least a small proportion of this data is highly sensitive and of value to the company. This can range from financial records, HR files, management correspondences, mergers and acquisitions plans, and intellectual property to name but a few. Disclosure of this data to unauthorized personnel or external parties can be damaging, leading to loss of business, loss of business partners and customer confidence.
It might be interesting to consider that studies from organizations such as IDC have shown that 81% of the organizations that misplace sensitive data experience a negative financial impact as a result of insider activities; 75% of the organizations experience some impact on their business operations, and 28% of the organizations experienced a negative impact to their reputations!
Now if you think that we're just preaching the same sermon then one only has to read what the chief executive of Applied Security, Frank Schlottke, said after the recent case of sensitive data being sold via eBay. "Instead of looking at specific technologies such as laptop or USB encryption, the focus should be on encrypting files and folders at the source."
Common methods of transferring sensitive data are actually neither secure nor reliable. What the many incidents point to is that methods such as courier, FTP and email are all weak. In the case of courier, apart from the risk of "falling of the back of a truck," it can also arrive a year after it was sent. Or even worse, someone might discover that it didn't arrive a year after it was sent! Add to this the fact that the data has to pass through so many hands between source and destination that the risks of theft, misuse, etc. are hugely increased, and it does not matter what medium is used to move the data.
Another popular method that dates from the dark ages of IT is FTP. Regardless of what flavor is used, FTP suffers from the same basic flaws when it comes to using it as a method for transferring data across networks. FTP does not provide the necessary mechanisms to make sure file transfers operate securely and reliably (especially when needing to handle large volumes of file transfers). Although some FTP flavors (such as FTP/S) encrypt transmissions over the wire, no FTP server provides built-in encryption for data at rest, which means that either additional technology is required to do this or more likely, as is the case in many organizations, nothing is done or manual processes are required, which in turn exposes that data to misuse.
A major weakness in FTP solutions is the transfer of remote logins in unencrypted format, allowing easy access for hackers, both inside and outside the organization to gain easy access to the FTP server credentials, and easy access to the confidential data which is uploaded to the FTP server.
The lack of built-in automation requires the development of home-grown scripts to manage the transfers, schedule them, monitor them etc., and the lack of logging, reporting, or auditing capabilities required by regulatory mandates. Add to all this that FTP does not guarantee a successful file delivery. Network problems such as connection failures or network downtime frequently result in no or partial files being transferred. In fact, the more I go on about the more depressed I become!
And of course, there's the ultimate nightmare - email attachments! There is nothing worse than receiving a 10 Mb attachment with your email, unless of course it happens to be somebody else's business plan or financial statements. In which case, we are all incredibly honest and immediately call the company involved to inform them of the small administrative error, right? Of course not. After all, we don't want to get the sender in trouble, and who knows, we might get the same mail next week. And do we ever read the small print that usually says something like, "This e-mail message and any attachments are private communication and may contain confidential, or otherwise legally privileged information meant solely for the intended recipient. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this communication is strictly prohibited. Please notify the sender immediately by replying to this message, and then delete the e-mail and any attachments from your system. Thank you."
So where do you start? My advice is stop the use of FTP, email attachments and couriers to move sensitive data and take the necessary steps to get a 21st century Managed File Transfer process in place; one that protects data at rest and ensures safe and secure transmission to your business associates. And a final word of advice from the old CEO. "He that spareth his rod hateth his son." In other words, give your IT department a good thrashing and get them to get their act together.
About the Author
Calum Macleod is Western European Director of Cyber-Ark.