Data loss, theft and control are key to society. They concern not only the reputations of the user, organisation or department but also the data might actually be about someone, or something important, sensitive or critical to a country's safety and wellbeing. It also embraces legal obligations over its content (and handling) and the reputation of the company, organisation or government can be at stake. The loss or theft might actually cause considerable distress or harm or enable the preparation of such...

Encryption products are widely available - but not widely used?

 ♦  Why, as many are really straightforward?
 ♦  Many organisations and corporate IT systems have the capabilities and often the products available?
 ♦  And still they don't get used 100% of the time when the data is at risk - Why?

A lot has to do with the psychology of being concerned about forgetting codes, passwords and risk of not getting the data back... some is simply to do with not valuing the possibility of theft, loss or risk - some, the organisation or department just doesn't do the risk analysis or won't put the budget and time investment in to solving the problem. Some is about doing what isn't allowed procedurally and if encryption products were asked for then the balloon would go up and stop the data going home or out of the office etc... Some is about doing the data mining or marketing analysis and processing the data raw! Some is down to the wrong user, corporate or departmental strategy with respect to data security - it is not a question of if it will happen it is more likely a question of when...

It is far better to assume someone at some time will either have stolen or lost very valuable or very sensitive data - it might even be in a very un-obvious way like do you crush all hard disks?... including the backups, complex switches, advanced printers and cache servers - personal laptops may need hard disk crushing for those moments when your staff do work on their own laptop/IT... What do you do with smart phones and tablets? What about email? Sometimes the loss/theft is circuitous and maybe your policies are robust but not the policies of those you subcontract the work to... Maybe you need to find out how many staff have email attachments going to smart phones and tablets - and what security (such as user authentication) is enabled! The Leveson Inquiry is showing us all the damages and costs of not resetting (or setting) default pins/pass codes on voice mail, answerphone and mobile phone voice mails... 

Either way - it is far better to get the right risk management strategies in place, get the right approach to segmented key data... and enable all to use encrypted products more freely...

 ◊  How many laptop losses/thefts have you heard about?
 ◊  How many CDs lost with potentially no encryption of data?
 ◊  How many USB fobs lost with horrendous levels of sensitive data?

Too many should be your answer. Some thankfully were encrypted - and the products available are strong. Encryption is in many senses a key aspect - but it isn't the total answer - process, training, attitude and responsible risk management are all key to getting this right... SOPHOS has several key products that allow you to enforce a discipline about downloading to CDs and USB fobs - even stopping it from those clients that shouldn't.

We are finalising to become a major supplier of encrypted USB drives for end-users - to drive up their use in authenticated access. To also drive forward the use of tokens based on biomedical authentication combined with other tokens such as pins and/or passwords - and network-level access from a server/client (or network access into a server/client) demanding and reliant on such multifaceted authentication. If such is only ever code and algorithms - without simplifying the points too much - both can be stolen, potentially hacked or duped (e.g. man in middle attack) - what we all need is much stronger cost-effective approaches to protect valuable data and assets.

We have chosen a supplier that has products that can encode up to ten fingerprints and encrypt the data using a powerful AES algorithm - there is even a completely integrated version that is designed to help you give presentations - so you can encrypt that valuable corporate or government data, go give your presentation and feel secure that your (or your organisations/departments) data isn't compromised nor can it be in the hotel or in transit.

We are not going to stop at the USB - we are looking at secure login and authentication too. Extremely secure firewalls and network designs will be on offer - using strong products that offer Unified Threat Management [UTM] capabilities... It is critical to understand the threats to your infrastructure and exactly how it is being used by your customers, suppliers and staff [temporary, new, existing, leavers, dismissals and retired]. Technology is becoming widely used in the business that are personal items that are not part of the corporate governance nor security programme, tools and techniques - yet that might be a key enabler to an efficient workforce - it may also be your key risk areas or even legal problems...

But then a very strong infrastructure and firewalling moves your threat and risks potentially to in-transit threats - so we have also chosen a supplier to offer products that are secure document carriers with anti-slash, secure laptop, tablet and document protection for transit and overnight in hotels - more on that later.

Still even that isn't good enough with RFID-enabled tokens in credit/debit cards and corporate ID - so we have also chosen a supplier to offer products that can protect passing capture of such on the move and hence thwart security risks such as identity theft or secure access token sequence number theft.

Considerably more will follow shortly....