• open panel
  • Home
  • Posts Tagged'data breach'

Posts Tagged ‘data breach’

Powys County Council might have saved £130,000 by using Ipswitch MOVEit DMZ

This month the UK’s Information Commissioner’s Office has served a Monetary Penalty Notice of £130,000 to Powys County Council, after the details of a child protection case were sent to the wrong recipient. The penalty is the highest that the ICO has served since it received the power in April 2010. The severity of the penalty reflects the fact that the local authority had already received a warning from the ICO to tighten up its security measures following a similar breach.

Over the past 18 months Pro2col has worked closely with a number of County Councils looking to implement a simple way of securing person to person, ad hoc   file transfers.  Additionally, with County Councils looking to centralise or share the cost of services (Shared Services), Ipswitch’s MOVEit DMZ with the Ad Hoc module has proved a very popular choice, especially considering the cost of the Enterprise licence in comparison to other vendors.

MOVEit DMZ has another extremely popular feature – the option to licence multiple organisations on the same server, providing separate branding options for other services, e.g. Fire, Police, District and Borough Councils, whilst keeping users and data separate.  This dramatically reduces the total cost of ownership.

If you’re a Council with a requirement to secure person to person file transfer whilst benefiting from an industry leading secure file transfer server, then speak to one of our consultants. We’ll assess your individual requirements and help you to evaluate the best solution for your needs from the market leading managed file transfer vendors with whom we work.

Share on TwitterShare on FacebookShare on LinkedIn+1
 

Should I Use Transport Encryption Or File Encryption

This morning I was asked if I recommended using transport encryption or file encryption to protect company files and data.

My answer: “Use both of them, together!”

For starters, here’s a real quick summary of both encryption types:

Transport encryption (“data-in-transit”) protects the file as it travels over protocols such as FTPS (SSL), SFTP (SSH) and HTTPS. Leading solutions use encryption strengths up to 256-bit.

File encryption (“data-at-rest”) encrypts an individual file so that if it ever ended up in someone else’s possession, they couldn’t open it or see the contents. PGP is commonly used to encrypt files.

Encryption Code

I believe that using both together provides a double-layer of protection. The transport protects the files as they are moving and the PGP protects the file itself, especially important after it’s been moved and is sitting on a server, laptop, USB drive, smartphone or anywhere else.

Here’s an analogy: Think of transport encryption as an armoured truck that’s transporting money from say a retail store to a bank. 99.999% of the time that armoured truck will securely transport your delivery without any incident. But adding a second layer of protection – say you put the money in a safe before putting it in the truck – reduces the chance of compromise exponentially, both during and after transport.

One last piece of advice: Ensure that your organisation has stopped using the FTP protocol for transferring any type of confidential, private or sensitive information. Although it’s an amazing accomplishment that FTP is still functional after 40 years, please realise that FTP does not provide any encryption or guarantee of delivery – not to mention that tactically deployed FTP servers scattered throughout your organisation lack the visibility, management and enforcement capabilities that modern managed file transfer solutions deploy.

Original: Ipswitch File Transfer

Share on TwitterShare on FacebookShare on LinkedIn+1
 

Saving money by ignoring data security – a false economy?

We hear it in the news week in week out.  So and so company has left a laptop on a train containing 4 million unencrypted customer records, a hacker has infiltrated an online payment system stealing thousands of unsuspecting UK consumer credit card details – even today I have walked through the door and the first news alert in my email begins, “ChoicePoint to pay $275,000 for second data breach.” I can’t help but wonder why data security is failing?

Recently, I’ve begun research into the current state of data security in the UK. As part of my research I contacted the ICO (Information Commissioner’s Office) and asked them to provide me with figures detailing reported breaches in the UK over the last few years.  According to ICO figures, 2008 saw the loss of sensitive data on 341 separate occasions, spanning all industry sectors.  So far this year, we as a nation have seen 348 instances of compromised data and we still have 2 1/2 months to go!!!  Before I progress any further I must emphasise the use of the word ‘reported’.  According to a study conducted by The Ponemon Institute using a sample of 615 UK based companies, 70% of the companies surveyed experienced a data breach in the last 12 months – a worrying discovery in itself.  Even more surprisingly, nearly 40% of those surveyed failed to publicly announce a breach in their security, as there’s no legal or regulatory requirement to do so because they are a private sector organisation.

data and lock

Taking into consideration the growing prevalence of digital business systems and processes over the past decade, we all must be aware of the importance of data security in our digitally dominated world.  Especially in light of the abundance of publicity surrounding data breaches – surely it must weigh on the minds of CIO and IT personnel?  So if we are all so acutely aware of the risk, why do some companies not take the precautionary measures required to secure the data they hold or transmit?  I can only make assumptions regarding the factors involved and I would speculate its the cumulative result of a number of factors.

Firstly, the big stumbling block – finance.  From experience, I know there are companies out there that struggle securing the necessary funds from their annual budget to address data security as its often deemed non-critical, especially in the current economic climate.  With the inhibitive cost of some of the security solutions out there, I can’t really blame them.  On the other hand, there are lots of providers emerging in the marketplace offering affordable, scalable solutions, that provide not only the data security they need but also the ability to streamline business processes and reduce operational costs.  Solutions such as this, can provide a significant return on investment and in the long term actually save money – a win-win situation!

The financial consequences of a data breach should also be taken into consideration.  According to a study coordinated by The Ponemon Institute back in 2008, the average cost of a UK data breach incident is £1.73 million – substantially more than the cost of securing the data in the first place!  Then you have to take into consideration the financial implications of a blow to a companies reputation – these intangible costs are likely to be well in excess of any fines.

Secondly, I feel the lack of legislation has a big part to play in the predicament organisations find themselves facing.  Apart from a select few e.g. PCI DSS, the only legal guidelines UK businesses are currently required to abide by, are those outlined in the Data Protection Act.  The problem is, up until very recently the majority of this act has been unenforceable (more to come on that later).  I can’t help but feel this lack of legislation and an authority body promotes a certain amount of apathy in organisations.  If all of these companies in the public eye are receiving minimal fines and a slap on the wrist for contravening Data Protection laws, what is the motivation to spend money on securing data?  Consequently, many organisations opt to sit on an unexploded time bomb and when it finally blows (which it inevitably will)  hold their breath and hope no one gets wind of the incident during the aftermath and leaks the news to valued customers.

The recently appointed UK Information Commissioner, Christopher Graham, has addressed this very issue during his first speech at the Annual Privacy and Data Conference in London on 8th October.  The crux of his speech is that change is afoot.  Mr Graham made it perfectly clear that data privacy and information security are now ‘top of the agenda’ and with the new powers of enforcement being granted to the ICO in the forthcoming Coroners and Justice Bill, he fully intends to use them to maximum effect.  He added: “we’re going to have the resources to go after the bad boys – there’s a well-funded regulator that will hit you hard if you get it wrong… if you don’t take this stuff seriously its going to bite you in the bum.”  He also stated, “If you breach the law you’re going to be in trouble.  It (compliance with data privacy law) isn’t a nice to have – it’s the law of the land.  You will destroy brand value and reputation (by ignoring it).”  Some strong words!

Finally, although aware of the viable threat of data breaches, from our experience as security specialists we have dealt with a number of companies who believe their data is completely secure when in reality – it isn’t.  Therefore a lack of insight and knowledge when addressing company wide data security systems can result in inadequate protection.  This is where the value of a security specialist comes into play.  We can’t be masters of all trades, sometimes its beneficial in the long run to let the experts work their magic as data security can be a minefield, its best left to the professionals.

Taking into consideration the consequences associated with the loss of sensitive data, such as the tangible cost to the company and more significantly a serious blow to reputation, is it really worth risking the security of your company’s data to save money in the short term?

See here to find out more about some of the secure file transfer solutions available in the marketplace.

Share on TwitterShare on FacebookShare on LinkedIn+1
 
© Pro2col Ltd 2012 | Terms of Sale | Privacy Policy | Sitemap
Part of the Pro2col Group