The hacking and theft of confidential Canadian government data reported yesterday is the latest in a growing number of serious data security breaches. “The increasing pace of these incidents shows the need for all enterprises to rethink their approach to maintaining the security of vital data,” said Tony Busseri, President and CEO of Toronto’s Route1 Inc.
Route1 is a leading provider of data security and identity management technology. Its clients include the U.S. Department of Homeland Security, the U.S. Navy, the U.S. Department of the Interior, the Dutch Foreign Ministry, and Canada’s Office of the Privacy Commissioner, as well as private sector corporations.
“More data security breaches are being reported every day,” Mr. Busseri said. “What they reveal is a widespread failure to meet two essential needs. The first is the growing demand for the capability to work remotely using the data within an organization’s network. The second is the vital requirement to control access to that data and to ensure it remains within the protective firewalls of the network. Remote access solutions are simple and readily available but most fail when it comes to identity management and security. That’s clear from the growing number of reported breaches. Too often, organizations go through the motions of constructing barriers to protect data while at the same time ignoring the gaps they create to allow their people to work outside the network. Those gaps allow data out and allow hackers in.”
“Every organization recognizes that the security of its data must be protected. Many are also recognizing that providing their people with the ability to work outside the office is not simply a convenience but a necessity,” added Mr. Busseri. “Route1 technology allows users to access networks from anywhere, anytime, with the highest possible security based on an architecture that keeps data within firewalls. Data security breaches are a huge and costly problem and will only get worse unless all organizations face the reality and take action using the best technology available.”
The growth in security breaches can generally be traced to the use of systems that transfer data outside of network firewalls, that use simple one-factor identity confirmation such as a single password, and that are based on identifying the remote device being used rather than the individual using it. The failing systems also may not control what information within the network the user can access when they are remote.
Confidential information is being lost or stolen in a wide variety of situations from sophisticated online hacker attacks to simply being left on laptops, disks, USB drives and even on paper. Here are some recent reported examples from both the private sector and government:
- In May 2011, Lockheed-Martin’s network was hacked through compromised RSA SecurID tokens. That attack has been traced back to an attack on RSA itself in March when RSA said “while some information relating to RSA’s token authentication system had been extracted by the intruders, RSA is confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers”. Lockheed-Martin is a large RSA customer.
- Also in May 2011, Honda Canada informed 283,000 of its customers that some of their personal information was stolen when its systems were hacked. It now faces a $200 million class action suit. The breach was similar to one at Honda in the United States that involved 4.9 million customers
- In April 2011, Sony’s network was hacked twice, compromising the confidential information of over 100 million customers.
- Personal information on 7,000 employees of the Edmonton public school board was reported lost in April 2011, after being downloaded on to a USB memory stick.
- In February 2011, it was reported that hackers had breached servers at the company that runs the NASDAQ stock exchange and planted malware on a web-facing application used by 10,000 executives and directors to share confidential information.
- In January 2011, cyber spies struck Google and reportedly more than 30 other unidentified firms in an apparent bid for computer source codes, intellectual property, and other information.
- Four days prior to the Google attack, Adobe experienced a “computer security incident involving a sophisticated, coordinated attack against corporate networks systems” managed by them and other firms.
Reported incidents do not tell the whole story. According to a recent McAfee, Inc. report, most network security breaches go unreported because of the potential consequences, including loss of confidence in the organization. Only three in 10 organizations report all data breaches suffered, and six in 10 currently “pick and choose” the breaches they report. McAfee also reported that mobile malware grew 46 percent from 2009 to 2010 with 55,000 new malware threats emerging daily.
The cost of security breaches is projected to be $1 trillion globally based on a study conducted in eight countries. The chief information officers surveyed estimated they lost data worth a total of $4.6 billion while spending another $600 million cleaning up after breaches. It can be difficult to define and calculate losses and estimates of the cost of cyber crime in the United States range from millions to hundreds of billions of dollars. A 2010 study by the Ponemon Institute estimated that the median annual cost of cyber crime to an individual victim organization ranges from $1 million to $52 million.
Despite the growing risk and the high cost of poor data security, corporations and governments have been slow to respond. A 2010 survey of corporate directors and executives by Carnegie Mellon University/Global Cyber Risk LLC found that improving data security was not among any board’s top three priorities. Only 6 percent of respondents reported that their boards have an IT or data security committee. Less than half employ a Chief Information Security Officer.
“As costs rise and trust in organizations is undermined, corporate and government leadership will be forced to take data security more seriously and act,” Mr. Busseri said.
The security challenge
To create a secure remote access system, three issues must be reconciled:
- Access: Can people use the resources of the network wherever they are?
- Data security: How can the organization ensure that its data cannot be accessed, stolen or tampered with by the wrong people?
- Entitlement management: How does the organization ensure that only the right people can access the data and that only the right data is available to those people?
There are many remote access solutions, but most are unable to provide the answers to all three issues.
To meet that challenge, to date, many organizations have taken on component suppliers for each issue resulting in complex, cumbersome and costly systems that, as the recent evidence shows, fail in the end. For example, some systems allow a user to access a network from only one device, such as a laptop, and to store network data on it. When the laptop is lost or stolen, so is the data. With the device in the wrong hands, the network is also vulnerable. Web-based systems using an internet portal are easily hacked with today’s tools.
SSL VPN systems are available and act as a true remote PC that hosts the data and processing at an off-site location. These solutions are cost-prohibitive for a large number of users and cannot provide assurance that the user accessing the system is an authorized individual. These solutions validate the remote PC as authorized to access the system through software downloaded onto the remote computer. If there is unauthorized access to the computer, or if it is lost or stolen, the network becomes an easy target for cyber attacks.
Route1 provides a unique integrated solution. Its MobiNET platform, TruOFFICE software application, and MobiKEY device work together to meet the need for secure identity management and remote data access.
The MobiNET provides universal identity authentication management and is also the service delivery platform. It is driven by the identity of the user, not the PC they are using or where the data is housed. With a MobiKEY device, a user can be individually, consistently and accurately identified by the MobiNET platform. This allows IT managers to focus on what data individual users are authorized to access, where they can go on a network and what they can do.
- Allows organizations to keep complete control over data
- Authenticates the individual user’s identity using multiple factors
- Offers remote users exactly the same access they have at their office – they are actually working on their office computer
- Keeps enterprise data within enterprise firewalls – data cannot be moved outside the network
- Protects against man-in-the-middle attacks and malware
- Requires no software on the remote PC – any internet enabled PC can be used immediately
- Leaves no footprint on the remote PC – since no data is transferred, there is nothing on the remote device
- Integrates seamlessly into existing IT infrastructure with no requirement for additional servers or server upgrades
- Can be installed on the host computer very quickly – and is supported by a highly regarded help desk
“The alarming increase in reported security breaches may serve as a wake-up call for enterprises of all kinds,” Mr. Busseri said. “When these organizations recognize the need for higher level data security, Route1 is ideally positioned to meet the growing need for simple, single-sourced and cost-effective solutions that actually work. Our clients have seen the need and taken action. The effectiveness of our technology is demonstrated by the fact that our clients include organizations that set the standard, such as the U.S. Department of Homeland Security.”