John Michael is the CEO at iStorage, a provider of secure portable data storage. In this interview he discusses the often overlooked repercussions of data loss, offers tips for organizations to make sure their data is secure even when on the move, and more.
What are the often overlooked repercussions of data loss?
Data loss can have significant consequences for businesses of all sizes, depending on the type of information that is mislaid or stolen. From a financial standpoint, fines levied by the Information Commissioner’s Office (ICO) for data loss can be as much as £500,000 – a financial loss that could devastate many firms. In the recent survey of over 500 security professionals, we asked respondents whether they were familiar with the maximum fine that could be imposed on businesses and Government bodies for serious breaches of the Data Protection Act.
We found that 67% were aware of the significant financial implications. However, while this awareness is there, the very same survey found that half of these professionals are not adequately encrypting data while on the move, a fact that is deeply concerning for those of us working within the information security industry.
The potential adverse publicity and reputational damage that can be incurred as a result of data loss should also be a key concern for all organizations. This should be considered specifically by those responsible for the handling and security of critical data including IT Managers, CIOs, CISOs and Data Protection Managers. In the event of a widespread data breach, it will likely be those individuals responsible for data security whose jobs could be at risk should data loss occur.
Of course, if sensitive data is lost and ends up in the hands of a competitor then the implications could be hugely detrimental. Equally, lost financial data could lead to cloning with considerable negative consequences.
The final repercussion to consider is the damage that can occur to organizational operations should data be lost that is not stored elsewhere. For any firms that lose information that is not securely backed up in another location, this could be very detrimental and result in significant resource being allocated to retrieve and reproduce this information.
What practical steps can organizations do in order to make sure their data is secure even when on the move?
If there is a business need to take confidential business data with you on the move, it is essential to ensure that this information is secured by transporting it on a portable device that is both encrypted and not vulnerable to being hacked. Devices that are hardware-encrypted, rather than software-encrypted, are widely considered to be best practice for two key reasons: there is no software to install with hardware encryption and the process is significantly quicker.
Many software encryption devices can be technically challenging for users – and, of course, the more difficult and time-consuming you make the encryption process, the less likely users are to take the time to adequately secure data. As such, devices need to be practical, affordable, easy to use and should work across all operating systems. Most importantly, the solution needs to ensure that the encryption process cannot be by-passed.
I would also strongly advise against using a keyboard to authenticate an encrypted device, as doing so potentially makes you vulnerable to keyloggers, hackers and also Trojan malware that can register every keystroke. Best practice would dictate the use of a PIN-protected portable device with an integrated keypad in order to remove this vulnerability.
What are the advantages of using encrypted portable devices over sharing data in a secure cloud environment?
First and foremost, anyone looking to store data in the cloud needs to appreciate that it is not secure – all of Edward Snowden’s snooping revelations that have been widely reported by the international media demonstrate just how widely both the NSA and GCHQ are monitoring information that was previously perceived to be securely-held. Snooping now occurs on such a widespread basis that we are still only seeing the tip of the iceberg – and as such, securely encrypting information using robust portable devices is absolutely essential.
Security concerns stretch far wider than the NSA and GCHQ and recent news reports that Chinese military officers have hacked into American firms with the intention of stealing commercially sensitive secrets illustrate the importance of ensuring that intellectual property, in particular, is protected at all times.
IP loss can have enormous consequences, particularly, for example, if your organization is in the midst of a competitive tender. Should internal information be compromised and accessed by a key competitor, this could result in the same tender being undercut, potentially without the organization even being made aware.
There is, unquestionably, a market for the cloud and we are seeing increased levels of adoption by both SMEs and large organizations within the UK, with cloud computing providing quick and easy access to information with minimal costs attached. However, I would never use the cloud to store my trade secrets and critical business information as there is no absolute guarantee as to who has access to this data.
I always store information that is important to me and my business’ operations on local, encrypted devices and make sure that a back-up is saved off premises in a trusted location. Taking this approach really is the only approach to assuring absolute data security.