Five steps to security Nirvana
Encryption alone is not enough for securing data, says McAfee's VP and CTO of data protection, Simon Hunt.
Speaking at the ITWeb and McAfee Executive Summit at Monte Casino yesterday, Hunt gave an insight of what companies should do to ensure maximum security of their data and intellectual property.
He said the risk companies run in having minimal or no security is that there can be fines incurred, negative press attention, and naming and shaming by government, to name a few. “It's just plain embarrassing, too,” he said.
“Hackers are no longer kids just trying to be clever... it's organisations which realise that hacking is lucrative, and it is,” Hunt noted.
He said just about anyone can download a Trojan and have access to, for example, banking databases.
“It just depends on how clever the criminal is and whether he gets caught or not... the fact is that information is at risk,” even though there are over 4 000 individual data security laws.".
Hunt pointed out that someone may send a credible e-mail with invisible malware, noting that although experts know technically what most Trojans do, in some cases they have "no idea" what the real world impact of the changes they make are.
“South Africa has a few laws like the proposed Protection of Personal Information Bill, which restricts access to personal data,” he said, however, noting that the laws are not enough.
“Although some cyber crime is accidental, it is the intentional crime - insider threat from disgruntled employees and incorrect protocol - that needs to be watched.
“We need to take practical steps in protection, as this is an ongoing challenge... companies have a duty to protect information and sensitive data like personal, business, trade secrets and intellectual property.”
Although security is incident-driven, said Hunt, a practical preventative approach is needed. He outlined five steps that companies need to take to secure their data.
For one, he said, companies need to accept that there is cyber crime; that it is a challenge; and that through virtualisation, cloud computing, mobile empowerment, employees having remote access, divulging information to partners, supplier and customer data is at risk.
“Secondly, you need encryption.” Hunt pointed out that hardware and passwords can be stolen and things like USB sticks can get lost or waylaid, and non-encrypted hardware puts the company at risk of data being stolen along with the hardware. “Encryption allows you to monitor and prevent data loss.”
Removable media needs to be monitored, he noted. “Every single USB stick cannot be accounted for; and although they are necessary, they're also dangerous.”
Hunt added that companies need to secure sensitive data to screen and monitor how it moves around. “Focus on the critical data first, and involve the stakeholders so that everyone knows how the information is moving.”
The fifth and final “step to Nirvana”, he noted, is data loss prevention. He said companies often boost their security after being caught off-guard.
"Companies need to prevent these attacks rather than being reactive, but trying to solve all the problems at once is like drinking water from a fire hose. They should tackle the biggest problems first, get that fixed and the move onto the less significant risks."
He said all of this can be achieved by putting policies in place, preventing leakage via firewalls and doing forensic traces of where the information goes, who accesses it, at what time and to know that attacks evolve, as technology and data also evolve.
“No company is 100% secure, but these steps can lead it to being secure.”