The first thing most of us do when we get into a car is put on a seatbelt. Whether we are driving or just along for the ride, it is so important that it is the law in the UK. We don’t plan to have an accident but, just in case we do, we are protected. So why don’t we give our data the same courtesy?
The quantity of electronic data relied upon by the private and public sectors is increasing rapidly. By “data”, we mean anything stored electronically, from the usual documents such as e-mails and databases, to video, audio and data streams that result from surveillance monitoring – all of which contribute to these data banks which need to be stored and managed carefully.
The ability to carry data when we are going about our daily business, whether on portable hard drives, laptops, or USB sticks, has revolutionised working practices. No longer constrained by the physical boundaries of the office, people are free to work just about anywhere – at home, in the pub, on a train, in the air, or at a client’s premises. Even McDonald’s offers wi-fi access.
However, there has been a price to pay. News reports on data leakage have become a regular feature and cause huge embarrassment to organisations, impacting their image and damaging their relationship with customers. So why is the lesson taking so long to learn?
Software vs hardware
Many organisations have turned to encryption as a saving grace without fully understanding the problem they face, and have suffered as a result. There are a number of software-based solutions that sit at entry level, however it is proven that they can be bypassed relatively easily.
A case in point is that of PA Consulting, where a single employee was in breach of its well-established information security processes when allowed to bypass the encryption software that would have protected the personal data of 84,000 prisoners in England and Wales when transferred to a memory stick which subsequently went missing. As a result, PA Consulting lost its £1.5m contract and jeopardised its remaining £8m of government contracts.
Instead of relying on users to encrypt data before transferring it to a portable device, it would be better for the external device to have encryption already built in. External hard drives are available that utilise a hardware-based encryption chip to seamlessly encrypt and decrypt data using military grade AES/CBC mode encryption.
Like any product, there are variants, so it is important to identify what is important when evaluating the various offerings. Key things to look for are:
Quick disconnect – if users are likely to be walking away and returning when using a device, but not wishing to log out every time, it may be considered important to have a quick disconnect feature via the LCD panel so that the external drive disappears from the user’s screen and cannot be accessed until the correct Pin is entered.
Random display – another concern is that the keypad may involuntarily disclose the Pin, either due to marks on the keypad or from shoulder hacking, so a random display facility may be considered essential.
Auto destruction – a further consideration is what happens if an incorrect Pin is used. Potentially, if there is no retribution for entering an incorrect code, perseverance could be rewarded and the data breached. It may be deemed important that after a predetermined number of failed attempts the data is destroyed to ensure its integrity.
Decipher code – plugged in via a USB cable, users are presented with a familiar LCD panel on the device itself to enter an up-to 18-digit Pin and without the decipher code the data is inaccessible.
Password updates – the need for regular password changes may be of significant importance. The firmware should have the facility to be customised to present the user with a message that makes sure the password is regularly changed and/or registered within the IT department.
Higher protection – unlike software-based encryption, hardware is not vulnerable to the same hack programs, decryption software and key loggers which plague other products on the market that make their use unsafe.
The ability to work whenever and wherever we want has significant benefits, especially in today’s 24/7 culture, so it is only fair that when data is involved it is done so responsibly and securely.
Since 1965, it has been compulsory for cars in the UK to be manufactured with seatbelts, although it took a further 18 years before using them became compulsory in the front of vehicles, and a further eight in the rear. How many preventable deaths resulted in this intervening time?
You could argue that no one would die from unsecured data, but individuals could be affected in the event of a data breach. One example is TV presenter Jeremy Clarkson, who inadvertently proved what can be done with limited personal information in the wrong hands when he lost money after publishing his bank details in a newspaper in January 2008.
We will not have long to wait before we see notebooks coming to market that have encryption built in to the hard drive. A marriage of technologies, the SED (self-encrypting disc) is the opal standard established by trusted computing. One example is the new range of laptop drives that will be completely encrypted and will sit internally in notebooks. The encryption is seamless, requiring the user to do no more than enter an additional password when logging in, and is therefore impossible to bypass.
It is difficult to understand how anyone can justify carrying unsecured electronic data in the public domain. People need to be educated about the many different options available.
Transparent encryption of not just sensitive, but all portable data, reduces the risk of the individual either forgetting, or worse bypassing, this safety belt. Next time you carry data out of the safe confines of the corporate environment, remember to buckle it up.
Andy Cordial is managing director of Origin Storage.
This was first published in September 2009