Cloud Collaboration And Content Management: The Great Myth Over Security

Millions of users, who place documents into the Dropbox storage servers or other Cloud based collaboration solutions such as Huddle each day, are potentially putting their data at risk, despite the belief that it will be safe and secure. This is according to Simon Bain,CTO of Simplexo.

Despite findings from the Cloud Industry Forum, which have highlighted that data security is uppermost in the minds of 62 per cent of businesses in the UK, corporate Britain is seeing a dramatic increase in the use of Dropbox and its competitors, such as Google Drive, Huddle, Box Net and Jungle Disk, thanks to the rise of employee adoption.

Simon Bain stated: “With the glare of security very firmly focused at Google and its new Terms and Conditions for the Google Drive, we should not forget that other players in this market also have similar T’s & C’s.”

“Corporate users need to look more closely at how they are using these services, particularly syncing, which is a really important part of a Cloud storage offering – in other words having all of your files available from anywhere. But do users realise that in a lot of cases their files are physically downloaded to their devices? If you lose a device, or leave it unattended, all of your files are accessible to a third party,” he continued.

In the rush to have documents available everywhere, corporate and data security has been marginalised, often for ease of use for the end user and simplicity of providing the service.

Google has proved over the last 10 years that user data really is king. Most of Google’s profits come from targeted advertising based on their users data – Location, Search Phrases, Blogs etc. – This is exactly the same business model that Facebook and others are trying to emulate. With Facebook it is based on the data that you place on to their social network. With Dropbox and the other Cloud storage providers, they are also looking to monetize the information that you place within their storage. As a corporate user you need to be careful that you do not break your own companies employment policies when you use these services, but also that you are not breaking state or national data protection legislation. As I have said ‘Data is King’ this is true also of your data for you. Sales records, quotations, bank statements. Do not give these away.”

“I am obviously a believer in using the ‘Cloud’ as a way forward for both personal and corporate life. However there are certain guidelines that I think need to be adhered to before we all start throwing our hard disks away and placing everything in to the hands of others,”

“While security on the Cloud servers is very important overall, document security cannot be overlooked and I think suppliers do have responsibility for this. The likes of Dropbox need to be more open with their users and not hide behind T’s and C’s.”

Some of the questions we need to be asking are:

  • Can somebody access our data?
  • Is your data only yours? Or does your agreement with your provider actually sign usage over to them. (Check as most providers do exactly this)?
  • Are the servers secure that my information is stored on?
  • Is my store separate from others? Or is there a large silo that everybody’s files get dumped in to?
  • What about the files? Are they encrypted?
  • If there is an on-line search capability? Is this secure or does it hold plain text in a database?
  • If a hacker gains access to the servers, can they see my files?
  • Are my login details and or user credentials held on the server?

Bain said: “Get positive answers to these questions before placing any documents into a store unless the data has no commercial value. Banks go to great lengths to make sure that we are secure during our on-line banking sessions. So why go and drop your bank statement in to an on-line box?”

By Simon Bain, CTO of Simplexo

Enforcement Of “Cookie Law” Requires Action By All Businesses With A Website

UK businesses could face fines of up to £500,000 if they fail to meet tough new website privacy laws which come into force this month, according to EMW, the commercial law firm.

EMW warns that there are no exceptions to the law for smaller businesses.

The regulation will come into effect on 25 May 2012 and will mean that visitors to the website will have to give permission for the website to download ‘cookies’.

A cookie is a temporary computer file which gathers information about the user’s online activity. It is activated by a user when they access particular pages on a site.  The cookie is sent from the website to the user’s computer and remains once they leave the site. When the user returns to the site the cookie allows the website to remember their preferences and settings.

“The effect of this change in the law will be far-reaching; any business that has a website will almost certainly use cookies at some point or other. The upcoming deadline is a wake-up call for those businesses that have not yet updated their website to gain consent from users,” Matthew Holman, Solicitor, EMW, said.

EMW explains that the old law only required businesses to give users the opportunity to ‘opt out’ and was often done by referring to the cookies in a privacy policy.

“This law marks a major shift in responsibility for the use of personal data: previously the user had to opt-out, now the user has to opt-in from the beginning,” Holman continues.

EMW says that businesses need to take three practical steps to prepare for the new rules:

  • review what cookies are used by their website
  • decide on the appropriate course of action to ensure that consent is obtained for the use of cookies (i.e. using pop-ups or banners on the website to obtain consent)
  • ensure that these measures are implemented on or before the 25 May 2012

“The risk of a £500,000 fine for extreme infringements of the rules should send a strong message to businesses that they must be ready in time,” said Holman.

EMW says that those businesses that have already taken action to deal with the new law should make sure that the websites cookie message is clear, user friendly and understandable.

“For most businesses it is very important that web users enjoy using their websites, so strict compliance with the law is not enough,” adds Matthew Holman.

“To be successful, businesses need to make sure that their website also remains user friendly.  That can be quite difficult to do when asking users for permission to use their personal data. To this end, collaboration between web designers and lawyers is important to ensure that the website meets the legal requirements whilst remaining pleasing to the eye and user friendly.”

By Matthew Holman, Solicitor, EMW

Preventing Data Loss In Small To Medium Sized Businesses

Small to medium sized businesses (SMEs) need to be more proactive and preventative in their approach to data loss. With the ever-improving advances in technology combined with a ‘relaxed’ office environment, employees are increasingly taking personal devices such as USB memory sticks, iPads, iPods and even smart phones into the workplace. These same devices can be used to remove or copy sensitive information whether it is to work remotely or more sinisterly for malicious intent and financial gain.

There are multiple outlets for data on the modern PC through USB and other peripheral ports. These ports can be used in many ways for extracting data at high speed, including removable hard drives and devices and is one of the most vulnerable ways for sensitive data to leave an organisation.

Establish policies to keep private data secure

It is evident, that the solution needs to be a compromise; strict policies need to be implemented by IT administrators for USB port usage, but on a more granular level.

Firstly, USB storage devices are actually a convenient and efficient way to legitimately transfer and transport data. Travelling workers, tech support staff, IT consultants, students, and many other users have valid reasons for carrying data on removable storage devices and therefore this becomes a major challenge for IT administrators to control without crippling productivity.

Secondly, organisations also need to put policies in place to prevent potential security breaches and data theft as a preventive method rather than waiting until the violation has occurred. A recent report in March this year on data breaches in the UK, showed that negligence, in which employees lose vital data on laptops, phones or USB sticks, accounted for 31% of cases. The report also highlighted that the average data breach costs UK firms about £1.9m annually.

The lockdown of USB devices, other removable storage devices, and communication mediums (such as Bluetooth, WiFi, and even Serial and Parallel ports) protects networks against malicious software attacks and prevents sensitive data from getting into the wrong hands. Microsoft Window’s built-in Group Policy provides an all-or-nothing lockout on USB storage. However, this method is not sufficient enough for many organisations that need more of a fine-grained approach over which devices and ports can be used, how they can be used, and who can use them.

Through third-party software, IT administrators have the power to be more granular when setting these security policies. Having granular control over each device type (for USB devices this includes serial numbers, product IDs and vendor IDs), organisations can limit access to specific device classes, and can also restrict “read” but not “write” for users of CDs and DVDs. When selecting a third-party solution, the ability to determine who on the network has permission to use certain devices based on their group, computer class, type of device or any other established factor should be easily achieved. Organisations should look for software solutions that can lock all possible avenues of data leakage, and put permissions and policies in place to control who has access to which files, where and when.

Despite best efforts, breaches still happen. Now what?

If appropriate security measures were in place, they could find out how an individual may have taken the data and whether it was by mistake or intentional. Centralised reporting will also allow administrators to see all attempts at restricted activities, including who attempted them, what type of activity, when and where.

In order to create a balance between employees and SME businesses, strong but flexible security practices surrounding removable media devices need to be put into place. Employee satisfaction is an important factor in running any successful company, but securing company assets is equally if not more vital. Having a high quality software solution that monitors and prohibits the use of removable storage devices is the only way to ensure that data is protected and the network is always secure.

By Nick Cavalancia, Vice President, Windows Management at ScriptLogic

The Importance Of Data Management In Organisations

We live in an information age, where the volume of data processed by organisations increases exponentially.

According to IDC, the total amount of information worldwide will reach 35,000 exabytes in 2020. Businesses currently use approximately 1,200 exabytes, which means information processing will increase at least 29-fold over the next decade.

Managing this plethora of information is a complex task for businesses and it also leaves large corporations highly vulnerable. Only last year, electronics giant Sony was prey to computer attacks which led to the theft of over 77 million PlayStation users’ bank details. Online retailer Amazon suffered a drop in sales after it unintentionally deleted its own customers’ details. After unsuccessfully trying to recover the information, Amazon announced the data had been lost forever.

Data loss is a risk that is frequently overlooked by businesses. It is important for companies to know what processes to follow should data loss occur. It is a risk that is both external, as demonstrated by the Sony hacking incident, and internal, as Amazon’s experience shows. Studies show that potential threats lie within every company. Human error, employee negligence and theft are all likely risk factors.

Every organisation, whether public or private, needs to review its systems and data management processes regularly. As volume and value of information grows, an up-to-date data protection and recovery plan becomes increasingly important.

The difficulty is that IT infrastructures are increasingly complex. There are multiple outlets used by companies: data centers, storage areas, servers, applications, computers, mobile devices, and thousands of files. In the case of public organisations, interoperability issues between various administrations can further increase the risk of data loss.

Designing appropriate security procedures, while crucial, is not sufficient to safeguard a business. Each procedure should be checked regularly to confirm they are fit for purpose. It is crucial to make backups and store data correctly, but there are certain practices that may hinder data recovery. It is often these unnoticed flaws in a data protection system where data loss actually occurs.

Here are some recommendations to help reduce the risk of data loss, protect confidential information and ensure business continuity:

1) Document and maintain procedures for backing up the organisation’s data

2) Test procedures and backups regularly to ensure they work

3) Include the details of a trusted data recovery provider in a contingency plan, who can provide advice and help should data loss occur

4) Create a map showing the location of the data, file names, where it is stored, and the individual that is responsible for the information

5) Establish a mindset that promotes information security within the organisation. Human error is the leading cause of data loss

6) Know when to delete. Keeping unnecessary data is poor management of the IT department’s budget, so make sure the data in storage is there for good reason

No matter what the cause of data loss, all organisations would benefit from the creation of a thorough and up-to-date data management plan.

By Robert Winter, Chief Engineer, Data Recovery, Kroll Ontrack