subscribe: Daily Newsletter

 

The danger of complacency in IT security

0 comments

Fewer than 1% of businesses make use of encryption on their machine hard drives and USB external drives.
This is according to J2 Software research results gleaned from in excess of 47-million Windows, file, application and data transfer activities.
J2 Software MD, John Mc Loughlin says this means there is the possibility of massive data loss if a machine or USB external drive is missing, lost or stolen.
“We have also seen that many businesses have inadequate backup procedures in place; or at least not everybody follows these procedures correctly. We recently encountered a potential client shortly after they suffered a loss.
“A mid-sized business in financial services that has been using the traditional method of backing up all server and application data onto an in-house backup server on a daily basis – every Friday the person responsible for IT took a full copy of this backup home on an external drive thereby giving them an ‘off-site’ backup.
“Of course 85% of their workforce use laptops on a daily basis. The policy is in place and all work, contracts and related information is to be kept only in the appropriate directory which then will synchronise to the server, thereby allowing the backups and off-site movement of data, albeit it is not encrypted or secured in any way.”
Mc Loughlin says this may sound good in theory but notes that in reality this is never the case. “This particular business had an executive team who stored a great deal of mission critical contractual and personal data on their laptops – mostly in the folders on the desktop. Knowing this, they had an ingenious method to remain compliant with their back up requirements, the execs were all issued with external drives of their own to do their daily backups and most of them even did it.
The real problem is that the external drive is kept in the same bag as the laptop so when one of the execs found himself to be the victim of car remote jamming he lost not only his laptop, with all its important data, but also the backup and the hard copy.”
He notes that the data on both devices was not encrypted and also contained both business and customer sensitive information which in the very near future will constitute a compliance breach according to POPI.
“This would require the company to report the incident/loss to the regulator as well as inform all customers who were or could have been affected. The notification would have to detail the information lost as well as any potential threats the subject of the data could bring around identity theft, fraud and related activity.”
Mc Loughlin says these problems are more than just an inconvenience in terms of the cost of replacement machines and the restoration of information but once reported to the regulator and customer – the company will face massive reputational damage with the accompanying certainty of loss of business.
“Added to the danger of identity theft, the thief can use the information gathered to run an invoice fraud scam or open new accounts.,” Mc Loughlin says.
“It is baffling how many businesses do not take the simple steps necessary to prevent this damage. As long as people use machines and access data the risks are there. Policies are great, but without ongoing monitoring of compliance and automation the policy will be bypassed.
“An attitude of it won’t happen to us is not a recognised compliant method of securing data and sensitive information and will not be accepted by the regulator. Companies are legally and morally
obliged to ensure they do not put their customers at risk due to complacency.”