Recently, both the EU and the ICO (Information Commissioner’s Office) have got much tougher over the need for organisations to protect data and report data loss.
In fact, the ICO, which oversees and enforces the Data Protection Act in the UK, has been granted new powers to fine organisations up to £500,000 for serious breaches of the Act.
One of the key recommendations the ICO makes in its advice to organisations on how they can ensure the safety of personal information held electronically is to encrypt. The ICO is looking at enforcing fines, in some cases, where data is lost and encryption hasn’t been used.
Although the ICO’s recommendations do relate to the safety of sensitive, personal information, and many of you will have such information on your systems, the need to encrypt applies equally to all companies and organisations that need to protect information which is sensitive for them and which needs protecting from both unauthorised internal users and from external threats, such as hacking or phishing.
For those of you who do hold sensitive personal information, encryption is absolutely essential, if you are to avoid the risk of fines. The ICO specifically warns about the danger of laptops being stolen or left unattended and says: “The Information Commissioner has formed the view that in future, where such losses occur and where encryption software has not been used to protect the data, enforcement action will be pursued.” A fairly unambiguous warning!
The ICO recommends that all portable and mobile devices (e.g. laptops, memory sticks, magnetic media, etc.) used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software.
It also recommends encryption for static devices (such as PCs) and when data is being transmitted electronically (such as over the Internet). Again, this advice is equally applicable to all companies who hold data, which they would not want to be seen by unauthorised individuals.
What to encrypt?
Data to be encrypted falls into three key categories. Data you have to encrypt for compliance reasons – ICO, PCI, SOX, etc; data that has a high enough business confidentiality requirement that it must be encrypted; and data that should be encrypted, such as information that isn’t business critical, but would still be damaging if lost.
Some of the areas to consider for encryption include individual files (when you don’t want to implement wide-scale encryption on your network, but have some critical files which you are concerned about protecting); network servers and NAS (network attached storage).
Also consider encrypting email; data sent between offices; network passwords; laptops; hard drives, especially laptop hard drives or drives used by high-risk internal power users; all mobile media such as USB sticks and PDAs; communications by mobile and remote workers, connecting to the company network; and wireless communications, especially for mobile and remote workers.
It should be remembered, however, that critical though encryption is, it is not enough in itself and should be part of a total data leakage policy, if you really want to properly secure data. It is also crucial to not only manage data protection processes, but to be seen to be managing them, because staff awareness is a critical element in successful IT security.
Ian Kilpatrick is chairman Wick Hill Group, specialists in secure infrastructure solutions