Thursday, September 18, 2008

FT.com / Digital Business / Personal view - Going for a song

FT.com / Digital Business / Personal view - Going for a song

Going for a song
By David Ford, chief executive of Securecoms Ltd

Published: September 18 2008 16:52 | Last updated: September 18 2008 16:52

Keeping confidential information secure seems to be getting harder and harder. It’s not enough to protect your own networks, computers and storage devices – you must also worry about anyone else who might hold your data.

We need to consider very carefully what happens to confidential and personal information when it’s in our possession and, importantly, when it leaves our offices. Electronic data takes on a life of its own. While photocopying paper files is a lengthy undertaking, copies of electronic data are created in moments and then cease to be accounted for. Just ask someone to look at the contents of their USB stick – almost always you’ll find documents there which should have been deleted long ago.

With scandals about sensitive data being lost, or popping up where it shouldn’t, seeming to occur daily the urgency of addressing the security implications of our ever-increasing technological capabilities has become acute. We are now exploring the security of the various devices we carry outside the office but we’re still overlooking the main route by which confidential information leaves the security of our office networks – e-mail.

Every day, highly confidential information travels round the internet insecurely. We wouldn’t dream of entering our credit card details on an insecure web page; we certainly wouldn’t conduct our online banking that way but we use e-mail to transport the majority of written business communication. Businesses of all sizes, and their advisers, send every conceivable sort of confidential information via e-mail – either contained directly in the e-mail or, increasingly, using e-mail as the conduit to send documents as attachments.

Using e-mail is like sending your communications by postcard. Actually it’s worse than that. Postcards, at least, remain in the possession of the post office until delivered. E-mails, on the other hand, travel across an insecure public network and pass through many unknown points before arriving at their destination.

We rage when we hear the latest story about a government laptop being lost or stolen, or a memory stick being mislaid, or CDs being lost in the post, yet we are all guilty of similar security lapses by sending unprotected confidential information out via e-mail.

Public companies, for example, send price-sensitive information to their various advisers during the periods before the making of announcements via e-mail. The Financial Services Authority has expressed concern that there is too much leakage of sensitive information and has reviewed the whole area of IT. However, although it recognised that external network connections should be secured by encryption (recommending the use of VPNs), it made no similar recommendations in connection with the encryption of e-mails. It made the obvious point that sensitive information should not be e-mailed to web-based e-mail accounts (presumably they meant free e-mail accounts) and that “address auto-complete” should be disabled, but didn’t devote any deep thought to the whole issue of the insecurity of e-mail.

Similarly, the Information Commissioner’s Office has not tackled the issue of insecure e-mail. The ICO accepts that sending unencrypted e-mail on open networks poses a security risk but, since its resources are stretched, it is concentrating on what it sees as more pressing problems – unencrypted laptops, disks and memory sticks. In other words it is not prepared to take a lead, preferring to react to events after they occur.

The only organisations in the UK that have made clear recommendations on this topic are the Law Society and the Bar Council. However, despite this advice from their professional bodies, more than 99 per cent of e-mails sent by solicitors and barristers are still sent insecurely.

The situation is not complicated. We have developed technologies that enable us to store and manipulate masses of personal and confidential information with ease. These capabilities impose a responsibility on us to ensure information is kept securely. We have accepted for some time that we must keep our internal networks secure.

However, now that it has become so easy to take or send information outside the secure environments we have built, we must ensure it is properly protected en route. This must be true whether information is carried on a laptop or a USB stick or sent out on a CD or an e-mail. An appropriate form of encryption is the only real security solution.

Until this simple principle is adopted by all of the main regulatory authorities and the message clearly conveyed to all of us who deal in confidences, whether our own or others, nothing will be done. Only when secure e-mail becomes an expected norm will we adopt the necessary systems to ensure that stories about yet another scandalous loss of personal data or confidential information have become a thing of the past.

David Ford is chief executive of Securecoms Ltd and former managing partner of Tarlo Lyons, the law firm
Copyright The Financial Times Limited 2008

No comments: