November and December 2007 have certainly had a wintry outlook for UK Government departments, and have given much cause for discontent. First, HM Revenue & Customs mislaid CDs with 25 million personal records on them. This was swiftly followed by a number of admissions of other data leaks from Govt. offices, all involving the loss of discs with sensitive content that wasn’t encrypted or protected.

It’s easy for us to tut, shake our heads at the folly of it all, and say “that couldn’t happen to us”. But a November 07 survey of UK IT managers and directors in the public and private sectors showed that a majority of companies are at risk of similar leaks – simply because they don’t have adequate security measures in place.

Risky business

Less than 50% of the survey’s respondents have deployed any form of data encryption, and fewer than 40% have any endpoint security set up on their PCs, laptops and mobile devices.

Despite this, a startling 65% of the IT managers surveyed said they were unlikely to change their IT spending priorities. Yet when asked about their IT security policy, 73% admitted their organisation’s IT policy included data protection guidelines covering the use of USB drives for transporting data.

So a majority of companies surveyed are in exactly the same position as HMRC – they have policies covering data leaks, but don’t have technology to enforce those policies. This puts those companies equally at risk of losing sensitive data, despite their confidence in their own security.
So how should businesses address the issue of data leaks, and what solutions should they consider? Broadly, this means looking at three key issues.

The first is hard disk encryption of laptops, and smart devices such as PDAs, mobile phones and USB devices. Second is auditing and controlling data transfer and access to removable media, for example CDs, USB keys etc. The final issue is the security policy running on the user’s endpoint device – whether PC or laptop. Let’s look at each of these issues in turn.

Encryption matters

Encryption for laptops boils down to two choices: full-disk encryption (FDE) or file-based encryption. The latter is tempting, because Windows XP comes with file-based encryption built. While this means that anything stored in specific folders or directories is encrypted automatically, there is a big security flaw. It relies on you and other users putting files in the encrypted folders themselves.

That’s fine in theory, but do you really want to rely on others to decide what’s sensitive information, and to place it in the right folder? The advantage of full disk encryption is that it automates the process and secures the entire disk, so mobile users don’t have to worry about it – and can’t interfere.

Security in hand

So far, so good – but what about PDAs and smart phones? The key here is a rigorous audit of all the devices being used within the company, and then deploying a single encryption solution to cover as many of the devices as possible. Unauthorised handheld devices should not be allowed to connect to the main network, or to store sensitive data. The solution chosen should again encrypt data automatically with no user intervention.