Minding your own business and other people’s information

Protecting sensitive corporate data is vital, but safeguarding entrusted information that belongs to your clients is even more important, writes Robert Schifreen

Loss of corporate data, whether due to negligence, theft, hacking or whatever, has major repercussions, both financially and in terms of reputation. But as has been witnessed in recent years, the fallout is many times greater if the data you lose belongs to your customers or clients, rather than your own company.

And as advances in storage technology allow us to hold more data, it is no surprise that incidents of lost or stolen information are increasing. When HM Revenue & Customs (HMRC) mislaid 26 million UK child benefit records in 2007, the data was on two CD-ROMs and totalled less than 2 gigabytes (GB). HMRC’s reputation is still affected by the loss of those two CDs. Likewise, Sony will take a long time to live down the loss of 105 million account details from its PlayStation Network.

Yet five years after the HMRC loss, there are domestic PCs with two terabytes (2,000GB) of disk space. Even enterprise storage, configured in arrays for reliability and mirrored across the corporate network, is still a relative bargain, with prices just about back to normal after last year’s floods in Thailand, home to 45 per cent of world hard disk production.

The consequences of multiple terabytes of data going missing do not bear thinking about. But think about them we must and sadly, having thought about them, we often make the wrong decisions.

Why should I, as a sales manager, carry around a company-issue laptop to provide access to the customer database when my smartphone has 64GB of memory and an Excel-compatible spreadsheet app, and it fits in my shirt pocket? Why work late on Friday at the office on that big pitch when I can scan the documents to PDF and put them on the family iPad?

The fact is that our corporate networks and our employees’ own devices can now store more data than ever before. The growing trend for employees to use their own computers for work – called BYOD or “bring your own device” – blurs the boundaries even more.

But regardless of where your customer data is stored, it has to be protected. Rochdale Metropolitan Borough Council did not exactly ingratiate itself with the Information Commissioner’s Office last year when it lost a memory stick containing the details of 18,000 residents. Clearly, such incidents need to be avoided.

Before you can start to protect your customers’ data, you need to know where it is. The abundance of cheap storage, coupled with the growth in web-based trading, means that customer data is everywhere. Even websites often now request that users sign up and register, meaning that the amount of personal data being stored – and potentially vulnerable to leakage – is enormous.

Two decades ago, the monolithic corporate computer began to be replaced with a network of PCs. No longer was the mainframe computer at the heart of the organisation. Instead it was the turn of the network with boundaries that now extend to every computer, smartphone and tablet used by every employee and all their family members.

To help protect customer data, start by drawing up a list of everywhere that might hold information about your clients, customers, prospects, patients, students and so on. Staff desktops and laptops, obviously, as well as network servers, plus the databases behind any web-based systems on which customers will have entered personal and/or financial data.

The consequences of multiple terabytes of data going missing do not bear thinking about

Then look at palmtops, smartphones, employees’ own computers in their homes, company laptops that staff get to take home, that box of memory cards on the IT director’s desk, USB sticks, the broken PCs that you are about to send for WEEE disposal, the old machine you are about to put on eBay and anywhere else you can think of.

“Prioritise what the most sensitive data is and where it lies,” says Frank Coggrave, general manager for Europe, the Middle East and Africa (EMEA) at Guidance Software. “Ensure you manage your key data effectively with policies and tools to keep it under that control. When an incident occurs, having these tools and processes in place will significantly mitigate the damage caused, and allow for more speedy resolution. The devil is in the data.”

Make sure that every device which holds customer data is protected by security software to prevent information being pilfered by viruses or hackers. That is not just PCs and Macs, but smartphones and tablets too.

For ultimate peace of mind, the obvious answer is encryption. If your clients’ data is securely scrambled, then a hacked website, a stolen iPad or a BlackBerry left on a train ceases to become a problem. Done properly, encryption means being able to say to clients, “Yes, we lost your data, but it doesn’t matter”.

But, in the enterprise environment, where myriad devices and systems need to work together, and where forgetting your password during the Christmas break is almost to be expected, rolling out a cost-effective, usable and manageable encryption infrastructure takes time and money.

However you choose to address the data protection problem, simply doing nothing is unwise and potentially extremely expensive, says Mark Brown, director of information security at Ernst & Young’s risk advisory practice. “As UK law currently stands,” he says, “companies can face a £500,000 fine for a data breach, and directors can be held personally liable too.”

If that doesn’t make large corporations take the problem seriously, new EU legislation is looming that could increase the fine to 2 per cent of annual global turnover and include a mandatory obligation to report the incident within 24 hours. That’s sure to push it straight to number one on the risk register.

And yet, with all the reputational and financial risk that loss of customer data can bring, Mr Brown identifies yet another problem. Security, he reminds us, is about maintaining the confidentiality, integrity and availability of information. “While confidentiality is clearly vital, you neglect the other two at your peril.” The work of an IT security manager is, it seems, never done.