Tuesday, February 16, 2010

Building security into business processes

| Yash Kadakia |
Earlier today after months of avoiding it, I finally decided to go a few days without my faithful Blackberry and get the camera repaired. As I handed over my Blackberry, the technician returned a zip-lock bag with the battery, back cover and sim card.

This made me wonder, what about the hundreds of stored e-mails, thousands of accessible e-mails via imap, work documents, personal photos, phone records, contact information, etc that still remained on the device.

Of-course, I had the phone wiped clean several times and took my memory card home with me and disabled e-mail delivery from the online blackberry portal. But what was more concerning was the pile of Blackberry and other pda devices lying around the shop for repair or re-sale, most that previously belonged to Executives, IT professionals or Consultants.

This made me think about the need for businesses to build security into their day-to-day processes. Would it be so difficult for the shop to include an additional step / process for their customer's security? Not really.

Formatting a phone or implementing encryption on PDAs takes nothing more than a few minutes these days. Some may argue that not all users maintain regular backups of their phone data. There are several simple solutions:
  • If the user has a memory card, simply create a in-store backup of their device on their memory card and format the phone a few times. This can be done from within the phone it-self. It would take about 3 minutes and would allow the user to walk away knowing that there is no chance of any data loss.
  • If the user does not have a memory card, simply enable the phone encryption / access password option for the device and have the user type in a password.
      Implementing any of the options would not take more than a few minutes and would provide an additional and much appreciated level of concern for their customer's data-security.

      The point of this post isn't about a particular instance or a particular store or even a particular type of business. The point is, about the concept of implementing security into day-to-day processes that we take for granted. Many of these secure processes would require minimal modification, negligible time differences and minimal investment. Consider the following examples of some day-to-day processes where security could be implemented easily.

      • At petrol pumps, most attendants generally walk away with your credit card for several minutes while you're sitting in your car. Are mobile credit card readers really that difficult to implement? No.
      • Same as point number 1, but for restaurants, coffee shops, etc.
      • Almost 90% of hotel/resort reservations in India involve you giving your credit card details over the phone/e-mail. Implementing an online registration system, or even an automated phone system is not very expensive or difficult.
      • Most people/shops throw away credit card or ATM receipts that contain your name, dob, cc number, expiry etc. Investing in a shredder should definitely be a must for businesses and most importantly, they must definitely be available at most ATMs/Banks for customer's to use.
        Day-to-day examples apart, lets think a bit more on the enterprise front:

        • Data security on mobile devices: Almost all organizations have executives that carry around laptops, tablets, pdas etc that contain sensitive information. Would it really be so inconvenient to add a step into their day-to-day processes to implement encryption? No. Full disk encryption would simply add one password prompt to their start-up and a fairly negligible performance difference. Passwords and encryption on Blackberry's and PDAs is also fairly easy to implement. A few clicks and your data's safe.
        • Whiteboards: I cannot count the number of offices I have walked into and found whiteboards filled with username/password information for SSH/RDP/FTP/DB etc. Again, implementing an open-source application like keepsafe will allow your employees to have access to complex username/password details with minimal fuss or interruption.
          I could go on with examples for several pages, but the point to be made is: In most cases security is not so difficult. All it needs is for someone to sit down, make a step by step list of their various processes and how they could make them more secure with minimal interruption or problems to the end-user.

          Originally from: Yash Kadakia's Blog - Information Security in India

          Free Security Magazines