To prevent the loss of sensitive data, organisations must change the way they store and communicate information, says CPA Global’s Neil Berrecloth. He explains how hosted web-enabled systems, such as FoundationIP, ensure data security without compromising access or availability
From government records left on trains, hospital data found on second-hand computers, computer hacking in large corporations, and paper copies of highly sensitive client information found discarded in bins, data security has become a priority for organizations as never before.
And yet, experts say that recent examples of high-profile data loss are just the tip of the iceberg. Since January 2005, the Privacy Rights Clearinghouse has identified more than 215 million records belonging to US residents that have been compromised due to security breaches.
Managing data risk
As many companies will already know, it’s not simply that such data breaches can result in negative PR; there can be serious cost implications too. Nowhere is this more pertinent than in the field of intellectual property (IP), where data breaches and incomplete records could also lead to missed renewals and weakened or lost IP Rights.
However, when it comes to securing their IP data, many companies are being caught unprepared. They are also being put under increasing pressure by changing government regulations; for example, many countries are introducing strict data breach laws, which now require companies to notify regulators and customers of any security breach of the data they hold.
Experts say that these regulatory obligations, coupled with the need to avoid the bad press that comes alongside high-profile data losses, will result in a noticeable step-change in data management in 2009. For example, they predict that companies will begin to ramp up security technology by investing in employee education and internal protocols.
We are already seeing the early effects of this increased awareness in the use of corporate strategies that prioritise the most sensitive information in order to determine what data potential attackers are most likely going to target. In addition to financially-sensitive client information, many companies are beginning to add IP to their list of sensitive data that must be guarded from hackers.
But, while outside threats will always be a problem, studies have shown that the biggest threat by far to a company’s information often occurs through common human actions. A recent survey conducted by RSA, a security solutions provider for businesses, indicated that some of the most significant breaches in 2008 came from within the companies themselves. These breaches often occur when employees are engaged in risky but well-intentioned behaviour such as sending work documents to personal email addresses, accessing email from personal computers or printing multiple, unauthorised or uncontrolled paper copies of sensitive information for their own use or record.
The RSA study also showed that internal job shifts also played a significant role in compromised data. An overwhelming majority – 72% of respondents – reported that their company or organisation employs temporary workers or contractors who require access to sensitive information and systems. Many admitted that they did not alter their log-in details once those temporary workers had left.
On the move
The proliferation of mobile computing devices in the workplace has also added to the risk. On the one hand, it has given companies and their employees great flexibility in how they do business, but, on the other, it has created a management headache for compliance with privacy and data security laws, not to mention the work involved in ensuring the integrity of corporate networks and the sensitive data stored within them.
Laptops are a blessing and a curse: approximately 3,000 are found unattended every week at eight of the largest airports in Europe, making data protection on the move a logistical challenge. Beyond the physical computer itself, the features for data transfer available on many modern laptops, such as USB ports, Bluetooth, DVD writers, WiFi and network ports, each create a separate avenue for attacking the security of the device and extracting the valuable data from it.
'LAPTOPS ARE A BLESSING AND A CURSE: APPROXIMATELY 3,000 ARE FOUND UNATTENDED EVERY WEEK AT EIGHT OF THE LARGEST AIRPORTS IN EUROPE MAKING DATA PROTECTION ON THE MOVE A LOGISTICAL CHALLENGE'
That is not to say, however, that mobile computing can’t be as secure as desktop computing. Properly managed, laptops can offer the benefits of mobility and the information accessed on them can remain uncompromised. The difference is found in where the data is stored and how it can be retrieved and monitored.
Centralised and secure
Companies have traditionally chosen to store and manage their in-house records on internal servers, which need to be managed and updated by internal IT staff. There is an impression that storing data in this way is more secure, but in fact the opposite can be true. Remote working provides a pertinent example. Employees must work outside the company network or, more likely, take copies of data with them, either as a hard copy or digitally on their laptops, increasing the risk of a digital or physical data breach.
However, systems do exist that minimise this risk. Instead of storing all information in a server that is located inside the company, there are webenabled systems that allow companies to access their key data from anywhere in the world. These hosted services (sometimes referred to as softwareas- a-service) reduce and control the need to replicate and transfer data and documents. Instead, they provide secure web-based access to a company’s records, which means that any authorised person can retrieve and update files online, from anywhere at any time.
The files, in turn, are stored in one centralised database on a remote server that is managed and monitored by a third-party expert, therein removing the need for any in-house IT support, while guaranteeing continuous and high levels of security, back-up and access.
Such web-based systems also remove the risk factor in other common forms of communication; after all, how secure is it really if your data is emailed? What about sending documents by post? With hosted solutions, you simply need to prompt colleagues to log on to the system to access new activities and information, and since only authorised users can log in, this controls how that data is accessed and by whom.
Similarly, when it comes to data storage, can you be sure that your files are sufficiently secure? Do you know who has paper copies and where they are stored? How is your data being backed up and do you have a fail-safe system in place to ensure that any losses are immediately restored? Many companies currently require an employee to take a copy of the back-up disk home, but this can be a risky solution as disks are vulnerable to loss or theft.
Assisting IP management
Web-hosted solutions have emerged as an answer to these data security issues, but the right system can also benefit the way in which businesses manage their information. For example, CPA Global’s FoundationIP uses web-hosted technology not only to provide a safe and easy environment in which to store IP data, documents and other relevant matters, but also to help organisations to monitor and systemise their IP management practices as a whole.
FoundationIP stores all IP matters in one centralised database and links this key data to all relevant email communications, case updates and other user activities, which leads to efficiencies in the way that data is managed and communicated to internal stakeholders. Importantly, it provides companies with a detailed and up-to-date overview of their portfolio at the click of a button, and reduces the likelihood of human error in IP portfolio management by sending automated deadline updates to alert staff or third parties to key deadlines.
Legal professionals, like their colleagues in corporate compliance, are aware of the difficulties and risk that is inherent in the storage of information. However, stepping back and recognising that data is under siege is only the first step. Companies and law firms also need to ask: what’s of value that we need to protect, where is it and how can we ensure that key stakeholders are able to access it without compromising the data itself? FoundationIP provides a ready-made solution to this need.
Neil Berrecloth is a business development manager in CPA Global’s Software Solutions Division in London.
This article first appeared in IP Review, issue 24
