Strategy & Operations » Governance » A winter of disc content

Put aside, for a moment, the problem of half the UK
population’s bank details being lost on a couple of disks in a jiffy bag and
consider the following: confidential information is found in a skip outside a
bank; computer back-up tapes are stolen from a contractor’s van; confidential
information is ripped off an employee’s laptop after a house burglary; payroll
and pension details are stolen from three laptops; and mortgage details in
documents are stolen from an employee’s car. Just some of the other examples of
“information leakage” reported in 2007.

In all, an Information Security Forum (ISF) study logged 881 information
leakage incidents during 2007. It classed 67 of them as major incidents with
many of these “resulting in brand damage”. Most, of course, never get reported,
so the real number is many times higher.

So is it time for FDs and other members of the board to start taking
information security more seriously? A new survey by YouGov suggests that more
than one million of Britain’s 28 million workforce have either lost or had
stolen information on an electronic device, such as a laptop, personal digital
assistant, thumb-drive or CD.

Safe and sound

What compounds the problem is that information that was once locked in office
filing cabinets can now turn up anywhere. “Nearly five million people now use a
laptop from home,” says Andrew Durant, managing director in Navigant
Consulting’s fraud investigation team, which commissioned the survey. “Yet only
25% said their laptops are encrypted to protect the confidential information
they contain,” says Durant.

Given these figures, it’s not surprising that nearly half of British
companies don’t have a strategy or policy in place on how to handle
electronically stored information (ESI), according to a survey from Kroll
Ontrack, a division of the Kroll risk consulting company.

“The explosion of information and the onslaught of new rules, regulations and
laws have made it incredibly difficult for companies and counsel to stay on top
of everything,” says Kristin Nimsger, president of Kroll Ontrack.

What makes it more difficult is that businesses are becoming increasingly
“perimeter-less”, says Brian Spector, general manager of the content protection
group at Workshare, an information security company. “Sensitive customer
information, intellectual property and confidential corporate data are
constantly sent outside organisations via email, portals, laptops, USB drives
and smartphones,” he says.

All this means that information leakage is likely to become a growing
problem, according to a new report from the ISF. “For large organisations, a
certain level of information leakage may be inevitable through unintentional
actions rather than malicious intent,” says Andy Jones, a senior researcher at
the ISF and author of the report. Yet, whether it’s intentional or not, when it
happens ­ and the news leaks out ­ there are red faces all round. And, as Paul
Gray, former chairman of HM Revenue & Customs can confirm, sometimes worse.

Even the companies that are trying to tackle information leakage face a
barrage of practical problems. The challenge with data is that it lives where
people want to work with it, says Ed Jones, managing director of Thinking Safe,
a data back-up and recovery specialist. The job of keeping it secure while
ensuring it’s readily available “has never been tougher”, says Jones.

“Delivering the right message on information leakage is difficult and, all
too often, is perceived by staff as ‘we don’t trust you, therefore we will lock
everything up’,” says Jones. “A balance should be established between protecting
information and sharing it for business benefit. Information leakage is an old
familiar problem, but it appears to be enjoying a new lease of life.”

One of the reasons that too few companies manage to achieve the balance to
which Jones refers is that board members who take strategic decisions don’t t
alk enough to the people who are in charge of information security. A new Ernst
& Young survey of 1,300 organisations in 50 countries reveals that one-third
of information security chiefs never meet the board. A quarter don’t even report
to the board on information security compliance or incidents.

Richard Brown, head of technology security and risk services at Ernst &
Young, says: “Data protection and privacy are increasingly big drivers for
information security and, with corporate reputations at stake, there needs to be
a strong, effective engagement with the business leaders to achieve a holistic
approach across the organisation.”

Security framework

So what’s the solution? “Organisations need to have in place a comprehensive
security framework covering governance, people, process and technology,” says
Mike Maddison, UK head of security and privacy services at Deloitte.

“It only takes one small failing in any one of these areas for an incident on
the scale of the HMRC data loss to materialise. For example, it is no good
having the governance, process and technology in place if the people are not
included in the equation. It is well known that people make mistakes even when
fully aware of policies, processes and risks ­ a situation that can be
exacerbated if they have lower job satisfaction, variety and motivation.”

One problem is that people sometimes don’t even realise they’re making a
mistake. Take those who work on their laptops on trains and in coffee shops ­
making them potential victims of ‘shoulder surfing’. “Key executives appear
worryingly content to review confidential sales and personnel records on a
laptop in a public place, leaving them at the mercy of strangers in the next
seat,” says Nick Hughes, business development manager at 3M Optical Systems.

3M’s research reveals that 55% of managers have admitted working on a laptop
in a public4 place ­ and 70% said they’d encountered shoulder surfing at some
time. As Hughes points out, this sits uneasily with calls from the Information
Commissioner’s Office for senior executives to take more care with the security
of personal information.

The reality is that there are so many types of threats now to information
security that FDs and the rest of the board can only hope to gain control by
putting a comprehensive management and technical programme in place. The ISF
recommends that any holistic policy should be based on six key principles.

These are: educate staff and third parties about information leakage;
identify environments that may be susceptible to information leakage; classify
information in accordance with its level of confidentiality; ensure general
controls include information leakage considerations; consider the deployment of
technology solutions for high-value or sensitive information; and be prepared to
respond to information leakage incidents.

How these principles are applied will clearly vary from one organisation to
another. And part of the grand plan ought to be a rethink about how digital
information is managed from a technical perspective. “In response to the threat
of local data theft from workstations using portable storage devices, there is a
move among security-minded organisations towards centralised network
configurations, where sensitive data is processed in one place, rather than
being distributed on laptops, desktop PCs and other systems,” says Edward
Wilding, chief technical officer at Data Genetics International.

Restricted access

The vulnerability of widely distributed information is one of the reasons
there is growing interest in “blade technology”, which puts the data and
processing guts of desktop computers into rack-mounted processors locked inside
a central server room. “Blades ­ processor, memory and storage on a card ­
reside in rack-mountable enclosures that supply power, ventilation and other
support components. The key security benefit of blade networks is that the user
has no access to any local ports or drives through which unauthorised data may
be downloaded or uploaded,” says Wilding.

“We have come full circle with blade technology, which resembles the central
mainframe and dumb terminal processing environment of old. Among others, the
Pentagon and NASA have implemented blade networks, largely in response to the US
national infrastructure protection directive.”

Boards may also want to ask their CIOs and IT directors to put tougher
routines in place to monitor the unauthorised copying or downloading of
information. There are several software solutions that can detect USB and
FireWire devices, which can be used for unauthorised data downloads over a
network. “Administrators of IT systems can disable specific types of storage
device such as CD and DVD writers, diskettes, memory sticks, iPods, MP3 players,
digital cameras and flash memory, while enabling local USB and FireWire ports
for other services,” says Wilding.

“A further option is a hardware lockdown of each workstation connected to the
network using each computer’s on-board BIOS configuration menu,” he adds.
“Software and source code may be protected using copy-protection mechanisms. I
would also recommend that valuable source code be removed from network drives or
workstations, and maintained on standalone development computers that are
suitably secured ­ physically and logically.”

Yet, although arranging the technical side so that it’s less vulnerable is
important, ultimately stopping information leakage mostly comes down to people.
“Human error is, at times, the most common point of failure,” says David Murray,
sales director at the Software Bureau, which provides data management software.

“These risks can be reduced by ensuring staff are correctly chosen and have
gained the necessary competence for the level of asset they are looking after.
The training processes of staff handling data should be extensive, with staff
being fully aware of the sensitivity of the matter and the reasons why the
information must be kept confidential.”

All good advice, but past experience suggests even that won’t be enough. Just
like water, information leaks can occur where they’re least expected.

Box: Culture Club
BT may not be everybody’s favourite telecom company, but at least it hasn’t
downloaded its customers’ details to a disc and put it in the post. As far as we

The main reason for this is because of a data quality programme which the
company has been running for six years. The programme has created a new culture
in which people take more care of the information they generate and use, says
Nigel Turner, head of ICT customer management.

BT realised that it was missing business opportunities because it had poor
data quality, adds Turner.

The problems showed up in slow product launches, or missed sales
Data quality issues have been tackled, in some cases, with the aid of software
called TS Discovery from Trillium Software. It enabled data quality owners to
help business process owners to prototype potential new business rules quickly.

BT has also nurtured a new information culture. “Errors are much less likely
to occur when the organisation behaves in a way that treats its information as a
major business asset,” says Turner.

Making that happen starts at the top, says Turner. “Senior managers need to
realise what their responsibilities are and recognise that they have a
leadership role to play.”

It also involves looking closely at the business to uncover reasons why data
quality might be low then acting on it. For example, BT call centre operators
used to be incentivised on the number of calls they handled. Now they’re partly
incentivised on the accuracy of the information they input.

Similarly, engineers often did not bother to record what they’d done
thoroughly. “We spent time educating engineers about the importance of keeping
accurate network records.”

And if FDs think that this tedious work is not worthy of their attention,
they should think again. BT estimates its data quality work has so far saved it
more than £600m.

Read more