As a risk manager or security professional, what’s your reaction to the recent Kroll Global Fraud Report? It states that theft of information and data has surpassed all physical theft for the first time. So do you check that your firewalls are up to date? Do you ensure that your SIEM (Security Information and Event Management) system is adequate? Or do you update your antivirus and patch management?
I suspect you do - that’s all good practice, after all. But the trouble is, those tools will only protect the hard outer shell of your IT system, and as the Kroll report highlights, it’s the system’s soft underbelly that is now the greatest concern. According to the report, fraud is largely an inside job across all geographies and industries. Some 44 per cent of respondents attributed fraud to employees and a further 11 per cent identified agents or intermediaries as the key perpetrators.
That’s right: more than half of all fraud comes from inside the organization. I suspect the truth of it is even higher, and between the growth of shared systems (invited guests) and the growing penetration skills of today’s adversary (uninvited guests), I suspect this trend will only increase.
To combat this threat and protect their data, businesses and data centre managers need to bring security inside the data centre, with the latest encryption and access management tools. Many devices such as databases, disks and tape storage now have encryption built in as a standard feature but even with these in place, security cannot be taken for granted.
The practical Achilles Heel to encryption comes with key management. Once encrypted, information is only readable if the decryption key is available to unlock it. Consequently, the key becomes as valuable as the data it is protecting. Encryption keys need to be stored and managed effectively in order to ensure data is secure against threats but also available to legitimate users when needed. If a company’s key management operations are not effective, then it runs the risk of losing keys and therefore data permanently.
In the physical world we’re well used to applying appropriate protection to our different assets: we lock our houses, but our most valuable possessions go in safes. We’ll leave our coats and bags at the café table when ordering but we’re careful to take out our phones and wallets first. These same intuitive principles of appropriate and selective asset protection also apply to information assets.
I’m not going to suggest you should encrypt everything – that’s exactly the wrong thing to do. But identifying valuable information assets and encrypting data at rest, in transit and in use, can, along with secure access management, protect your data from the inside threat in a way that protecting the periphery of your IT systems cannot. It’s much like locking away the family silver before opening the doors for the seasonal house party.