Securing Access To Personal Information

On the BBC's Panorama programme the DWP recently admitted that in the last 12 months, 158 people have been disciplined for unlawful access to personal medical information. Of all information that needs to be kept securely, surely personal medical information must come at the very top of the priority list!

From a personal point of view, it's all very well that they managed to identify and discipline the DWP staff who accessed the information illegally, but I would rather that the appropriate technology had been in place to prevent access in the first place. Yet if government departments fail to protect our data sufficiently, what should companies do to protect access to our personal details? A number of technologies are available to protect unauthorised users from accessing sensitive information in corporate databases:

• Intrusion Prevention – Intrusion prevention technology can prevent you against SQL Injection and Cross Site Scripting attacks. McAfee Database Activity Monitoring and McAfee Intrusion Prevention work at the application layer to identify these attacks and block them.

• Protection against Zero Day Attacks - No database administrator wants to implement emergency patches to their SQL server / Oracle application servers outside their normal patching cycles if they can avoid doing so. McAfee Database Activity Monitoring and Trend Micro DeepSecurity protect you against zero day threats until such time as you are able to apply the manufacturer's patches as part of your normal patching cycle.

• Database Access Monitoring – The first step to securing information on your databases is being able to report on access to personal / confidential information on your databases (e.g. medical information and credit card information) so that you can identify who is accessing this information and consequently which users may have been granted inappropriate access rights. Rules may also be configured to block unauthorised access to sensitive information.

In addition, products such as Safenet Datasecure can be used to overlay best practices for database encryption key management and access control. Key management products protect your organisation’s encryption keys and provide a straightforward means of backing them up securely from a central point.

Technology to implement robust data security is not cheap, but withe the Information Commissioner handing out increasing penalties on those organisations that fail to protect personal information, companies need to seriously consider their risk profile and whether some form of data protection may be a wise investment taking into account the potential cost of breach notification procedures, loss of reputation or worse.

Small Business Security

IT Security is a difficult subject for small businesses. We all know that security is important, but because IT Security isn’t directly responsible for putting money into your bank account, it often slips down the priority list of things to do.

The fact that IT Security is lower down the priority list in small companies makes them a soft target for cybercriminals. They are far easier to target than larger companies, and yet many small companies hold data from larger companies as part of collaborative projects.

Every company, large or small needs to assess their IT Security risk. The choice of how you implement it is of course down to you. You can “Do It Yourself”, choose a service provider, or turn to the growing number of cloud security providers that now exist.

Cloud security offerings are very attractive for small companies. There are no setup or management costs, and you pay only for what you need, allowing you to continue to focus on your business. They take a number of different forms, including hosted web filtering, hosted antivirus, hosted email security, hosted web application firewall, hosted two-factor authentication and even hosted vulnerability assessment to allow you to test your internet facing web servers and networking devices against the latest known attacks.

If you have suffered a breach, you have probably already given consideration to what level of security is appropriate for your company, how to implement the solution and how to manage it. If you haven’t , then now is a good time to be proactive, and review your firewall, endpoint security and data security defences in view of the new technology that has been introduced over the past few years.

Free trials are available for the majority of technology that you want to consider, and we are always happy to offer good advice on the sort of products that you may want to consider to protect your business.