Data lost, not found: Why data loss is still prevalent in many organisations

Rob Swainson, Blue Cube
Rob Swainson, Blue Cube
West Suffolk Hospital NHS Trust is one of the early adopters of encrypted USB memory devices
West Suffolk Hospital NHS Trust is one of the early adopters of encrypted USB memory devices

 In fact, according to the Open Security Foundation, the worldwide rate of data loss accelerated in 2008. The organisation tracked 584 incidents in 2008, against 445 in 2007 and 496 the year before that.

Not all incidents have the impact – or the potential to grab the headlines – that HMRC did. Many are on a far smaller scale, although no less worrying for the subjects of the lost records.
Nor is it the case that governments are any more prone to losing personal information than commercial companies. The largest (publicly-acknowledged) data loss to date remains retailer TJX’s loss of 94m credit card and customer details, again according to the OSF.
Lies, damned lies
None the less, forming an accurate picture of data loss is fraught with difficulties; calculating its financial impact is even harder.
Historic figures are skewed towards North America, not least because of the impact of data breach disclosure laws, in particular California’s SB 1386. There is, as yet, no equivalent in the EU, so breaches are likely to go unreported. Proposed UK measures to make data loss a criminal offence are unlikely to encourage more disclosures, if doing so could land executives a substantial fine, or worse, a jail term.
“Incidents in the public eye are the tip of the iceberg”, says Greg Day, senior cybercrime adviser at vendors McAfee. “Data leaks out of businesses every day; in many incidents the data is just getting discarded, or lost.”
Although the number of data losses looks set to rise further, this might not be as bad as it seems. The OSF has already reported 170 losses this year, so 2009’s total could exceed even 2008’s record losses. But it could also be that the number of reported incidents are increasing, as a result of greater scrutiny by regulators and the media, and even as a result of organisations’ own, more rigorous security policies.
“[Data from] US agencies subject to the Federal Information Security Management Act (FISMA) show us clearly that when an agency is required to detect incidents, and then put in place incident response processes, the number of incidents jumps even as security improves”, says Andrew Jaquith, a senior analyst with Forrester Research, based in Cambridge, Massachusetts.
“In other words, when you are looking for something, you tend to see it more often. But as information security programmes improve, the number of incidents detected tends to plateau as the reporting systems stabilise”, he says.
Over the last few years, organisations have invested significant money into data loss prevention, in physical security measures such as enhanced perimeter security and better detection and monitoring systems, and in emerging technologies such as data loss prevention tools. But managers and boards are also becoming more aware of the need to act before data is lost, or stolen.
“People are making more of an effort to understand the risks now”, says Rob Swainson, CEO of Blue Cube, an independent IT solutions provider and consultancy. “Organisations are taking more steps to protect data, for example by encrypting it or controlling mobile and plug and play devices.”
Public shame, business risk
One reason that businesses in particular should be looking at education, is the very real risk of reputational damage, following a data loss.
“The key driver [for businesses to improve data loss prevention] is the media visibility of these incidents”, suggests McAfee’s Day. “Businesses are more worried about the damage to their reputations, than the legal issues of breaching the Data Protection Act or industry-specific regulations.”
Organisations can suffer damage, too, even where organisations can prove that the data breach was not caused by a fault of their own, but a result of malicious activity. Hacking and website attacks remain a greater source of data breaches than either accidental loss or ‘insider’ breaches. However, the public and stakeholders, especially investors, are unlikely to offer much sympathy in either case.

Businesses are more worried about the damage to their reputations, than the legal issues of breaching the Data Protection Act

Greg Day

“The side effects of data loss are hard to gauge”, cautions Forrester’s Jaquith. “There have been several studies on the negative impact on share prices for companies that have suffered a breach, but the results have been inconclusive. Certainly, when a company loses control over customer information it has custody of, it also suffers a loss of trust with its customers. The impact is greater with companies [where customers have] lower switching costs”, he adds.
“In practice, the primary side-effect of a data breach is that it invites scrutiny from business partners, and sometimes results in direct financial losses or reduced business. [US financial company] Heartland Payment Systems, for example, was removed from the Payment Card Industry's list of certified payment processors. This is a huge risk to their business”, continues Jaquith.
As Jaquith suggests, customers of commercial companies that lose their data can always vote with their feet, and take their business elsewhere. This is not an option open to users of public services, and one reason public organisations that have lost records have been subject to so much criticism. It is also the thinking behind measures such as FISMA in the US, and the EU’s Data Protection Directive.
If organisations, both public and private, face a public dressing down following a data loss, CIOs and CISOs will be under pressure from their boards to reduce or contain the number of incidents. This requires a two-fold approach.
Secure what you keep, reduce what you collect
Organisations will need to take steps to ensure that their security measures, as well as practices, are up to date. Security experts warn that, especially in challenging economic times, incidents of crime including fraud are likely to increase. There is some evidence from the large security monitoring networks that phishing and other cyber-crime attacks have already risen.
In addition, there is the further danger that disgruntled ex-employees might take sensitive data when they leave an organisation. Plus, there are few guarantees that even honest workers – when faced with redundancy – will remember to return every USB memory key or remove all company data from personal devices such as smart phones.
“We will see as many, if not more, data breaches as a result of the economic slowdown”, cautions McAfee’s Day. “The economic environment has also meant that some projects have slowed down or been paused. Companies have finite budgets, and so are looking to sustain rather than to evolve their information security.”
Day suggests that organisations can, though, free up funds to bolster data loss prevention measures by taking costs out of other areas of IT security. He also suggests that CIOs and CISOs should be firmer in asking business lines to “invest a penny now, to save a pound later”, when it comes to preventing data loss. “IT should not shoulder the responsibility for data loss alone. It is a business problem, and a business decision on how and when to tackle it”, he says.

People are still throwing technology at the problem, rather than looking at processes, and at education

Rob Swainson, Blue Cube

At the same time, IT departments should be cautious about automatically spending on data loss prevention technologies, cautions Mark Chaplin, a researcher at the Information Security Forum.
Data loss prevention tools, although they have a role, suffer from many of the limitations of early intrusion detection and intrusion prevention systems. Not least of these is the potentially high numbers of false positives, where legitimate business traffic is blocked by the system, causing inconvenience to business users.
“There is technology to monitor transactions and the flow of information between one place and another”, he says. “This is not that different to the IDS technologies of 10 years ago. It is a similar type of database, checking for patterns of attack and data that fits that pattern, which is going out of the organisation… the technology has been available for some time.”
Chaplin recommends that companies go back to their experience of deploying IDS, in order to find ways to deal with monitoring, compliance and the large quantities of log data that such systems generate. He cautions, however, that data loss prevention tools cannot be a total solution, not least because they struggle to cope with encrypted files. Yet encryption is being mandated by many businesses, in order to cut down on data loss.
As a result, organisations handling potentially sensitive data should make sure that they invest sufficient time and effort in creating policies and practices aimed at preventing data loss. This might include access controls to key applications and logging who is using them, and when. Locking down USB ports is a partial solution, but educating staff about their responsibilities to company and customer data is more effective, over time.
“People are still throwing technology at the problem, rather than looking at processes, and at education”, says Blue Cube’s Rob Swainson.
At Forrester Research, Andrew Jaquith has a more radical solution: persuade companies and public sector organisations to collect less data.
“This is an area where the US has much to learn from the EU - the European Privacy Directive, for example, has created incentives to limit data collection. This should be strengthened”, he says. “As long as companies and government believe it is cheaper to collect information than it is to not collect it, they'll keep collecting it.”
And as long as data is collected, there will be people who will lose it, or be willing to break the law to obtain it. “As long as that's true, the places where that information is collected will continue to be a target for attackers”, he says.
Secure USB drives in the NHS
Hospitals face a daily challenge to be more efficient, but without putting patient and other sensitive data at risk.

With staff at NHS trusts often working across multiple sites, and often an urgent need to transfer patient data from one place to another, using USB drives and other portable devices is hard to avoid. At the same time, trusts do not have unlimited budgets to introduce complex security measures.

West Suffolk Hospital NHS Trust is one of the early adopters of encrypted USB memory devices. The trust, which runs the West Suffolk hospital in Bury St Edmunds, introduced around 150 SafeStick USB drives, from vendor BlockMaster, last November. BlockMaster has since won a two-year contract with the NHS to supply up to 100 000 of the devices.

“USB sticks are the most convenient method of transporting information”, says Mel Hodson, IT procurement manager for West Suffolk Hospital NHS Trust. “Generally we have used the sticks, but with confidential information going via NHS email. Now, we are a lot happier if a SafeStick is mislaid. We can lock down a SafeStick using the software, so that nobody can use it. Once that’s happened, it can’t be accessed by anyone.” Staff are also unable to copy sensitive data to standard USB drives.

End users can reset the PIN on a SafeStick if they forget their details, but doing so erases its content; however, the IT department can reset the device and preserve the data. “We have reset a few, but we’ve not had to block many sticks”, Hodson says.

Indeed, now that the trust uses secure memory sticks, it has seen fewer losses. “It has been the reverse, in fact”, says Hodson. “You have to sign to take a stick out, and users are being a lot more careful. The cost is higher with an encrypted stick, but it is also making departments think twice about how many people will be issued with them.”


What’s Hot on Infosecurity Magazine?