Negligence or human error, a primary root cause of data breach
Staffordshire University in UK reported that a laptop containing applicant information was stolen from a card belonging to a staff member. Due to the size of the data file, the information was held locally on the hard drive of the laptop. The specific information contained in the file included name, address, email, telephone numbers, offer decisions, ethnicity code and gender of applicants dating from 2006.
While notifying and apologising to all affected parties of the breach, the university stressed that this was an exceptional incident and the laptop was password protected. The university also undertook actions to avoid such incidents in future. The actions included staff training and reminding them of their obligations to protect personal data and conducting a technical review of their security landscape.
Though Staffordshire’s post-breach reaction is responsible and is a step in the right direction, it is important to discuss how this scenario could have been avoided in the first place and why security stopped at “password protection”. Unfortunately, encryption is often overlooked at the last line of defense perhaps due to a misunderstanding of the technology or on outdated concepts surrounding encryption. Some can be heard in comments such as, “Why do we need all this security, we’ve got strong passwords? “ Or, “Data encryption – that’s going to put a massive strain on the IT department”. Even the generally computer literate decision makers and IT groups argue against data encryption solutions, or dismiss the technology altogether—until it is too late.
All in all, it is time to eliminate negligence and bring the concept of Full Disk Encryption (FDE) to the forefront of the conversation. The technology add benefits beyond passwords and pre-emptively empowers organisations to protect their interests. As applied to most challenges, a good solution is one that fixes the root cause of the issue.
To read more about this business case and conversation around data security negligence click here.
CPA Coming Soon to the United Kingdom
United Kingdom is picking up speed and, in response, WinMagic should soon be accredited with Commercial Product Assurance (CPA) and will be certified to provide data encryption services to central and local government, as well as, the NHS and emergency services.
What is Commercial Product Assurance (CPA) Certification?
Products with CPA certification have been independently tested and have met CESG’s security standards. This is significant as the “CESG is the Information Security arm of GCHQ, and the National Technical Authority for Information Assurance within the UK…the definitive voice on the technical aspects of Information Security in Government.” The accreditation gives government, the wider public sector, industry customers and data owner’s confidence that a product will perform its stated security functions and can be trusted, unlike non-certified products.
Speak to your WinMagic Representative for more information on CPA certification.
APAC – Changing The Data Security Conversation
According to Bloomberg Business, major Indian energy companies, “will conduct their own enquiries after police arrested a dozen people in an investigation into the alleged sale of stolen government files.” This is the haunting story that WinMagic’s, Rahul Kumar, elaborates on in his blog article: Think Safety, Stay Secure. Kumar notes the differences in attitude towards data security as negotiated in APAC regions as opposed to the West, illustrating that the threat of data breach is very real and they conversation surrounding such ought to change. As exemplified in a recent Korean data breach, “three banks lost personal information of their customers. The number of people affected is close to 40% of Korea’s population.” As reported by CNN, personal identification numbers, addresses and credit card information were all stolen, thereby launching a grand scale investigation into records of half a million customers. The culprit? An external hard drive of which data was being secretly copied.
Had encryption and IT management visibility been prioritized in data security strategy of the aforementioned organizations, perhaps the breaches could have been avoided. However, this will only be improved if the conversation changes in the APAC regions to prioritize compliance and regulations. Work with your WinMagic Representative on how to facilitate this conversation with your customers today.
A Sneak Peak Into The Opinions On Cloud Computing Security
With the recent onslaught of major hacks, including leaked sensitive information stored on cloud, it is evident that a conversation on data security needs to happen. To facilitate this discussion, we have conducted a survey to explore the attitudes and behaviour of application, mobile and cloud users. Below is just a sneak peak from the survey that is to be released at a future date:
Users were asked, “How confident are you in the security of the data you save to, or access from, a cloud storage service (e.g., DropBox, Box.com, iCloud)?” Roughly three quarters of cloud storage service users surveyed are at least somewhat confident in the security of their stored data. While nearly one quarter of cloud storage service users are not at all confident in the security of the data they access or save to the cloud storage service.
This is significant as it confirms the current industry trend that confidence in cloud storage solutions is growing but so is the demand for security in the cloud with the biggest worries revolving around latency of WANs and data retention policies. An additional consideration is the potential cost of data breaches in the cloud, which the Ponemon Institute highlights, “a breach involving 100,000 or more records of stolen personal data could increase from an average of $2.4 million to anywhere between $4 million and $7.3 million.” Needless to say, the potential risk is high, but the demand and trend for adoption is apparent; thus, organisations must to consider how a cloud security ought to be adopted in the overall data security strategy.