Maintaining barriers

26-Jul-2006

If you think a ‘worm’ is just something to catch fish with and a USB stick is a new police weapon, then read on. You may have a lot to learn about what is needed to stop sensitive information being stolen from your company.

In our industry, managing access to candidate and client databases is paramount, and the bad news for recruiters is that the modus operandi for fighting data crooks has changed hugely.

Only five years ago, the standard methods of stealing valuable information from a recruitment company would include burning data onto a CD, printing off hard copies of commercially sensitive material, using email accounts to send information outside the organisation or employees simply writing down copious amounts of information to take away with them.

Now the biggest threats are internet messaging and portable media devices such as a USB stick. The latter is a small, lightweight, removable and rewritable data storage device which can hold up to 64GB of computer data space; an iPod is a common household example. They are faster and more reliable than floppy disks, which were previously used for relatively quick portable storage. USB sticks are also known as ‘pen drives’, ‘chip sticks, ‘thumb drives’, ‘flash drives’ and ‘USB keys’.

Dennis Szerszen, spokesman for security software firm Secure Wave, says that in some sense the risk portable storage systems pose has been around since the emergence of the floppy disk. “But that [a floppy disk] was just 360 kilobytes of risk; not four gigabytes that can be transferred in five minutes by a USB stick,” he adds.

The popularity of MP3 players and digital cameras is also driving the development of a culture of carrying around a lot of data on the person. And USB sticks and other portable media devices can carry both private and sensitive business data. For example, it was recently discovered that USB sticks full of US military secrets were being sold on market stalls in Afghanistan.

Danger alert for computers

Recruiters looking to stop this threat should know that some security measures encrypt data put on removable drives such as USB sticks. Others just keep an eye on what is being transferred back and forth.

Matt Fisher, spokesman for Centennial Software, said USB sticks can also become an attack vector for viruses and other malicious programmes, largely because they are swapped between many different computers.

“Everyone expects a virus to come into their computer through the email gateway,” he warns. “No-one expects it to come in on a USB stick.”

The relatively new phenomenon of instant messaging in the workplace poses another threat for recruitment agencies. A viable alternative to traditional email, instant messaging systems such as MSN Messenger or Yahoo Messenger bypass normal computer surveillance systems and provide an easy route for people looking to send out sensitive information. Conversations on instant messaging systems happen in real time, and most services offer a presence information feature that indicates whether any people on one’s list of contacts is currently online and available to chat.

According to Jose Grandmougin, senior systems engineer for computer security firm Fortinet, instant messaging poses the greatest threat to recruitment agencies.

“You can now send spreadsheets and large files on internet messaging. Our security system would look at instant messaging flows between groups and monitor the dialogues.”

However, Richard Cassidy, systems engineer at Fortinet, believes that companies also need to beware of internet messaging ‘worms’. “A lot of vendors are still slow on the uptake with this,” says Cassidy. “A worm is a clever virus. It takes the computer’s browser to an external site. In the worst case scenario, the remote site can actually then take over the running of that system.”

To stop staff sending sensitive data through internal email, computer security firm Clearswift has a solution.

Clearswift’s technical director Alyn Hockey says: “We have a system that looks for specific file names and types. It can tell the product not to send certain types of files, or it can look inside a document for text streams, or regular expressions like ‘CV’ or names of specific clients.”

Wide open to the risk of data theft

UK businesses certainly appear to have cause to worry about information security breaches. According to a recent study by the Department for Trade and Industry, 55% of firms have taken no steps to protect themselves against the threat posed by removable media devices, such as USB sticks. Two-fifths of companies that allow instant messaging have no controls in place over its use, while nearly two-thirds of companies expect there to be more security incidents in the next year than there were in the last.

Chris Potter, a partner from PricewaterhouseCoopers LLP which helped compile the survey, says: “Overall, UK businesses are more aware than ever of the risks they face from information security breaches, in an environment where threats are on the increase. But some still seem to believe that they are immune to the dangers, and don’t have basic security controls in place. Recruitment businesses cannot afford to be complacent.”

As well as technological measures, there are also legal back-ups that recruitment firms can take to safeguard their sensitive data. Dan Morrison, a partner at law firm Mishcon de Reya, advises recruitment businesses to follow the statutory obligations set out in the Data Protection Act 1998. He says that: “Efficient data processing will not only minimise the risk of any claim being brought by the individual whose data you are holding, it will also benefit your business.”

The key to success is a sound defence

In his experience, Morrison believes that data theft is predominantly carried out by existing employees stealing information from their employers. Opportunity and the lack of meaningful controls are two of the main factors that lead to theft of information.

Morrison says: “You may find your business in the position where an employee or a competitor has stolen a list of your clients and candidates. In these circumstances, you will want to take steps to recover that data, not only to protect your own business interests, but also to protect yourself against potential claims from disgruntled clients and candidates whose details have been stolen and who will undoubtedly be receiving telephone calls and emails from the unknown individual or competitor who has taken the data.”

Morrison advises setting up a data protection policy. Train staff to keep information up-to-date and accurate. Tell people that you are storing their data and give them the reasons why you are doing so. “You should also take steps to secure your computer systems by the use of passwords, and using printing and emailing restrictions that are simple and cheap to put in place and can be very effective in reducing the misuse of confidential and personal information,” he adds.

Recruitment firms can go further in their security safeguards by periodically reminding employees of their responsibilities and contractual obligations. This will give a legal platform to bring a claim for breach of covenant or breach of confidence. It will also act as a form of deterrent, ensuring employees know that there are certain legal obligations which they have signed up to.

By pre-empting the potential damage caused by data theft, you can avoid not only substantial financial loss but any subsequent damage to the goodwill and reputation of your agency.

As any good football manager will tell you, the key to success is a sound defence.