by Tim Lohman

Rio Tinto spying case a wake up call to CIOs?

Aug 12, 20094 mins
Data and Information SecurityPrivacySecurity

The arrest of Rio Tinto executive Stern Hu in China on spying charges has brought home the need for CIOs to examine data security according to the CEO of security company PGP, Phil Dunkelberger.

In Sydney for the launch of the 2009 Australian Enterprise Encryption Trends, commissioned by PGP and produced by the Ponemon Institute, Dunkelberger said the Rio example highlighted a risk faced by businesses working in developing markets.

“The Rio Tinto incident exposes a business issue [data and IP security]. From a CIO’s perspective, this incident should be taken as an example of the need for data encryption across the whole enterprise,” Dunkelberger said.

Commenting on the findings of The Enterprise Encryption Trends report, which interviewed 482 Australian business and IT managers, Dunkelberger said despite Rio’s example, there was a growing recognition by CIOs of the security risks posed by smartphones and mobility to their organisation.

More than 64 per cent of the report’s respondents said it is either very important or important to encrypt employees’ mobile devices and 55 per cent said that it is very important or important to provide end-to-end email security for Windows Mobile 6.0/6.1 Professional Edition.

“People in IT security talk about the perimeter; well the perimeter has shifted out from the business to its people through mobile and traveling employees with data on their laptops and mobile devices,” Dunkeberger said.

Reinforcing the need for data encryption and data security in general, the report found that a sizable 69 per cent of the companies surveyed had suffered one or more data breaches in the last 12 months, up from 56 per cent in 2008. A quarter of these companies had five or more data breaches in the previous 12 months, up from 22 per cent in 2008. Of these breaches, only 35 per cent were publically disclosed.

With the average cost associated with data breaches continue to rise, to an average cost per record of £60 per record in the UK and $202 in the US, cost to the business of a data breach, rather than impending mandatory breach notification breach laws, was becoming the major driver for data encryption adoption, Dunkelberger said.

“About 65 per cent of the cost to the business following a data breach is in lost business; that’s the reason why businesses are reluctant to have mandatory breach notifications laws; it’s because of a fear of customer churn,” he said. “Businesses who have data breaches experience a rate of churn similar to that of the telecommunications industry.”

The report also found that the global financial crisis had resulted in new problems for CIOs – namely through the resulting reduction in IT budgets and the risks associated with newly-redundant employees looking to leverage customer data outside of corporate control.

Page Break

Additionally, businesses looking to take advantage of different application and service delivery models, such as cloud computing and software-as-a-service, were creating real risks to the management and security of data within organisations.

Rather than view data security as a challenge, CIOs should view data security as an opportunity for the business, according to director EMEA marketing at PGP, Jamie Cowper.

“Having data security means you can safely move your business to federated clouds and the advantages they bring,” he said. “You can also safely look to places such as India as a source of cheaper services or to places like China to grow your business because you have protected your data you can confidently operate in jurisdictions with differing needs for data protection.”

For a good view on the extent of data loss – largest and latest data loss incidents – see DataLossDB

PGP’s Top Ten Data Security Checkpoints for CIOs

  • 1. Know your data and your data flow
  • 2. Secure data end-to-end – at rest, in use and in motion
  • 3. Educate
  • 4. Unify processes and policies – centralise policy and key management
  • 5. Ensure partners and vendors are secure
  • 6. Physical security
  • 7. Data retention policies
  • 8. Regulatory compliances
  • 9. Simple to deploy – install once, roll out as needed
  • 10 Easy to use – automatic and transparent to users