Policies, processes and a “corporate ethos” of care of data are more important in securing sensitive information than using encryption technology.
Encryption has been back in the spotlight following the HM Revenue & Customs data breach that led to two CDs containing unencrypted records of 25 million people on the child benefit database getting lost in the post.
But two-thirds of silicon.com’s 12-strong CIO Jury IT user panel said technologies such as encryption need to be part of a more holistic approach to security that includes training for staff and strict enforcement of policies.
Nic Evans, European IT director for Key Equipment Finance, said: “More important is a corporate ethos of care of such data.”
Encryption on its own can give a false sense of security, according to Florentin Albu, ICT manager for the European Organisation for the Exploitation of Meteorological Satellites (EUMETSAT).
He said: “However, when used in the context of an information management/information security framework, it can become an effective way to mitigate certain corporate data risks. Even so, it would be just one piece of the jigsaw – you need to combine it with other technologies (authentication, authorisation, etc) and information management practices (data classification, data handling, etc) in order to become effective.”
Security from A to Z
Click on the links below to find out more…
A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day
Even with encryption technology there are weaknesses that could lead to data being compromised. Steve Clarke, director of systems and operations, AOL Broadband, said: “Encrypted data still needs to be viewed, which means it must be unencrypted – giving rise to opportunities to store the data without its encryption. By implementing policy, processes, appropriate training and rigorous enforcement our data stands a chance of remaining secure, but encryption alone is not the panacea.”
James Findlay, head of ICT for the Maritime & Coastguard Agency, said: “Encryption only forms part of the solution. Organisations must have robust policies and processes in place to ensure the integrity of both data and systems.”
Another survey by security company CheckPoint found just under half of IT chiefs have deployed encryption within their organisations.
But those in favour of greater use of encryption to secure data include Graham Yellowley, director of technology services for investment bank Mitsubishi UFJ Securities International.
He said: “This is a minimum requirement for securing any data, whether this be for internal or external dissemination. Encryption strength needs to be considered with at least 256 bit key encryption for real security.”
Richard Steel, CIO for the London Borough of Newham, added encryption should be used “where the data must be mobile and combined with two-factor authenticated access”.
Today’s CIO Jury was…
Florentin Albu, ICT manager, EUMETSAT
Alastair Behenna, CIO, Harvey Nash
Mike Buck, architecture manager, Yorkshire Water
Steve Clarke, director of systems and operations, AOL Broadband
Nic Evans, European IT director for Key Equipment Finance
James Findlay, head of ICT for the Maritime & Coastguard Agency
Neil Harvey, head of ICT, Food Standards Agency
Jane Kimberlin, IT director for Domino’s Pizza Group
Jacques Rene, CTO, Ascend
Richard Steel, CIO, London Borough of Newham
Richard Storey, head of IT, Guy’s and St Thomas’ NHS Foundation Trust
Graham Yellowley, director of technology services, Mitsubishi UFJ Securities International
Want to be part of silicon.com’s CIO Jury and have your say on the hot issues for IT departments? If you are a CIO, CTO, IT director or equivalent at a large or small company in the private or public sector and you want to be part of silicon.com’s CIO Jury pool, or you know an IT chief who should be, then drop us a line at firstname.lastname@example.org