Gallery

Security by numbers

Posted on 16 Jun 2008 at 11:06

This month, Davey Winder sets the security standard, reveals how humans can be hacked and doesn't get caught on video naked...

Even so, in order to infiltrate and stand a chance of being accepted in that role, the hacker first has to physically gain entrance to the building. This is not, sadly, as hard as you might imagine. Armed with nothing more sophisticated than a half-eaten sandwich or a large latte, a would-be hacker will often simply "tailgate" through the front door at lunchtime when other workers carrying half-eaten sandwiches and cups of latte are coming and going in their droves. To stand an even better chance of gaining entry this way, old hands will wear a suit minus the jacket to make it look as if they'd just popped out for lunch.

The back door is also increasingly a site for attacks by tailgating hackers, especially now that you can always find a bunch of smokers hanging out around there. The hacker takes up the smoking habit for about ten minutes, before walking back in through the door with a couple of new-found workmates. Goods-in entrances are usually better secured, but even there a man wearing motorbike leathers, carrying a crash helmet and parcel, and expressing an urgent need for the loo, can get a lot further into the building than he ought to.

The solution is simple: create a physical entry restriction policy and stick to it. Make sure that all staff are aware that everyone must enter their own door code, use their own ID swipe cards, and prove who they are and what their business is before being admitted. Technology is your friend, and what might have seemed like James Bond fantasy a few years back has become an affordable reality today: fingerprint scanner locks; ID swipe cards; even RFID tags to track staff and visitors within the building are within the grasp of all but the smallest of businesses.

Tunnel vision

It's all too easy to develop something like tunnel vision when dealing with security matters that exist within your own business, because you have access to only a narrow view of security policy. But it's becoming increasingly apparent that those organisations that have employed strategic and (most importantly) enterprise-wide approaches to encryption are experiencing far fewer data breaches.

That, at least, is among the findings of the latest Ponemon Institute 2008 Annual Study: UK Enterprise Encryption Trends, which interrogated 650 IT and business managers, analysts and executives and has been my bedtime reading during the week that I penned this column. You can read the full thing yourself as the report is free to download from www.pgp.com/downloads/research_reports/index.html, although registration is required so expect to have to give up some personal data.

I can report that the key findings so far as I'm concerned are that while some 60% of UK organisations have experienced a data breach, only 49% expect to deploy a single enterprise-wide key management solution this year. Slightly better news can be deduced from the fact that laptop data encryption has crept up from 10% to 12% of people using it "most of the time" over the course of last year. It's hardly brilliant, though, as it implies that 88% still don't, which is kind of surprising given that 58% of those surveyed this year said they were using encryption to comply with privacy and data security regulations, compared to only 17% last year.

Obviously, there's an understanding of the broader picture here, but perhaps not the will to go the whole hog and do something about it. This could prove to be a very costly mistake indeed, since separate research by the Ponemon Institute also found that the cost of data breaches in the UK averages £47 per record compromised - or, to put it another way, according to the research, that works out at an average of £1.4 million per breach at enterprise level.