Data Security - Spies Like You

The Cold War might be over, but espionage certainly isn’t. Modern-day spies
may not have the kind of savoir-faire of, say, James Bond or the man
from Uncle, but they are certainly employing similar skills with great success –
and destruction – in the corporate world.

For every story of corporate espionage that hits the headlines, there are a
million others taking place around the world that escape the same kind of media
attention. Our increasingly information-based economy and stiff global
competition, coupled with the pace of development in sophisticated technologies,
mean that a company’s prized asset – its data – is a cyber criminal’s dream.

Experts predict the problem will grow as new technologies are developed and
more business transactions are carried out electronically. The recent popularity
of removable media devices and technologies such as iPods, which can be lost or
stolen easily, makes the potential for security breaches even greater.

“A 20GB iPod can be plugged into another computer and, as well as your tunes,
people can walk off with your intellectual property,” says Chris Potter,
information security assurance partner at PricewaterhouseCoopers.

What is especially worrying is the lack of knowledge and understanding, and
the scant importance placed on areas such as data protection and encryption at
board level, say experts. The lack of disclosure of such breaches makes them
difficult to quantify, but a 2004 Department of Trade and Industry survey says
the average cost of a single security breach to a large company is £120,000. And
if you consider that large businesses are caught out roughly once a week, the
overall cost to UK plc is jaw-droppingly high.

Jon Callas, chief technical officer at PGP, a US company specialising in
encryption software, says: “If you get in front of the problem now it won’t be
as big a problem in future.”

Companies particularly at risk are those involved in research and
development, such as pharmaceutical companies, telecoms and financial services
institutions.

The explosion of the internet for business use meant that company directors
quickly realised that online transactions had to be encrypted to give consumers
the confidence to buy online. But encryption of individual files and
confidential data is far less widespread, claim security experts.

Anecdotes of senior UK executives sending confidential files to their
unsecured hotmail accounts so they can work from home are not unusual. Some
companies don’t even encrypt the hard drives on laptops, says Potter. With
frequent tales of staff leaving their laptops on the back seat of a taxi or on a
train, encrypting the hard drive on a laptop could save not only millions of
pounds but could also keep a business from bankruptcy.

According to the DTI survey, in 2004 one in 10 companies suffered a
significant fraud or security breach, and most of the survey’s respondents were
pessimistic about the future of information security incidents. More worryingly,
says Potter, is that “roughly a quarter of large organisations have some form of
encrypted data”.

So why, when directors know the damage a serious security breach can inflict
on their business, are so few companies encrypting their data? “It’s the
logistics of it,” says Potter. “The technology is there, but it can be a painful
process. The key issue is how to share encryption keys without causing a
breach.”

Commercial espionage is a major concern for governments, all of which are
fighting to ensure their country remains the most attractive place in which to
do business. The irony of it is that until recently governments, particularly
the US and UK, viewed any attempt to encrypt corporate data with deep suspicion.

As the internet flourished, concerns grew so much that in May 2000, with
little consultation with the industry, the Home Office included in the
Electronic Communications Act a vestigial power to create registration for
encryption services. That power, however, was subject to a five-year sunset
clause, which ran out on 25 May.

The Act’s powers gave the government the right to regulate companies selling
encryption services. It was yet another case of a sledgehammer to crack a nut,
according to security and civil rights experts. The Regulation of Investigatory
Powers Act of 2000 also gives authorities the power to demand that organisations
disclose their encryption codes.

There has recently been a sea change in government views on encryption. Where
authorities once resisted developments in encryption, some are beginning to
demand it. “Data security laws have liberalised encryption laws, despite
September 11,” says Callas.

He foresees a ramping up in encryption now that laws are changing. If a
company operating in, say, California loses sensitive client data, it is now
required by law to inform its customers. The damage that such a security breach
and ensuing public disclosure could do to a company’s bottom line is inspiring
businesses around the world to use encryption more widely.

One of the reasons why encryption is not more widespread is because it is
difficult to illustrate to a board of directors the return on investment for not
having been a victim of a security breach, says Callas. Also part of the problem
is that most directors don’t believe it will happen to them. But even when a
security breach does occur, Potter says “there’s only a small window of
opportunity when organisations are open to investing in encryption software,
based on the assumption that the company by then is still in business”. A better
way of thinking about it, explains Potter, is that most people insure their
homes against fire, “yet few people’s houses ever burn down”.

But business advisers are quick to point out that it isn’t just electronic
security, or external threats, that businesses should be concerned about. Jim
Norton, senior policy adviser at the Institute of Directors, says companies
should not be so focused on implementing sophisticated technologies that they
forget to consider basic physical security. “It’s right to have technological
solutions but also look at the people issues. It may be just as easy to bribe
the office cleaner,” says Norton.

The fear of losing customer or sensitive data should be enough to instil in
companies the motivation to employ encryption in a more widespread manner. The
way the legislative process is going it may soon be an obligation.

Although it might be an arduous process logistically, well-managed projects
might just be the difference between survival and bankruptcy in a cutthroat
corporate world.