[Skip to content]

Sign up for our daily newsletter
The Actuary The magazine of the Institute & Faculty of Actuaries
.

Technology: Data and security

One of the problems with the age in which we live is that we sometimes find ourselves having to care about things that, previously, would have been someone else’s problem. Take information security. Only ten years ago it would have been most unlikely that an employee outside the IT department would have had to worry about information security. Now, however, there are more threats coming from myriad sources and countless ways for attackers to get into our companies’ systems, so it’s extremely important to be on guard.

That’s not to say that data thefts weren’t being perpetrated ten years ago but several things have combined to compound the problem. First, there’s more data: databases accumulate, whether they’re about clients or customers or anything else. Second, the data is more openly available: even in banks or actuarial firms where there are good, tight controls on databases, the data is still being used in ways that it wouldn’t have been before — we outsource communications or administration to other companies, or put out work on temporary projects, all of which require data transfer. That means more people have access to it, which means there are more potential threats.

Finally, the consequences can be greater. Not just in terms of fines or other punishments, some of which have been tightened up or toughened, but when news can spread around social networks within days or hours, it’s harder to keep control of events once a data breach has been made public, and companies’ reputations can be tarnished or even trashed.

Another thing that’s changed in the last ten years is the proliferation of devices we carry with us, which has led to companies opening up their networks. Where they were once locked down to company-owned laptops and desktop computers, now many of us can connect our own devices to access corporate systems. But if you’re connecting your own device to the corporate network, that makes corporate network security your problem. Your own computer needs to be kept up to date with recent security updates and patches, and with fully working, up-to-date security software.

Most attacks contain an element of ‘social engineering’ — when the Anonymous group attacked the HBGary Federal IT security firm in February, one of the hackers contacted an IT administrator posing as the CEO and asked him to reset the master password, a request that was promptly granted. Every employee — even those without high-level access — is a potential target because attackers will take any opportunity to get inside a system.

It’s not just electronic security that’s important: as a journalist I find myself looking over people’s shoulders on the train — out of sheer nosiness, to be honest — and often they’re reading papers marked ‘confidential’ or ‘private’. It’s bad enough if a journalist gets wind of a good scoop because someone’s been exposing papers they shouldn’t have, but it could be even worse if someone with malicious intent gets hold of private details.

Encryption can be important. In 2009 the FSA handed one financial services firm a hefty fine for, among other things, sending out customer data on unsecured discs and USB devices and for sending those by ordinary post. It may be common sense, but when you’re dealing with sensitive data, make sure you keep it secure. If it’s going elsewhere it should be encrypted and sent securely. Under Windows 7 and Vista, laptops can be encrypted at the hard disk level to prevent any unauthorised access.

Finally, your company will probably have minimum requirements for secure passwords, but it’s good to use different passwords for different systems even if that’s not mandatory. Several password-remembering tools are available such as Lastpass (www.lastpass.com) and Roboform (www.roboform.com), which will save passwords in an encrypted file. These are good for personal use, but check before using them for work-related information.

All of this security advice really boils down to common sense: it’s a bad idea to send unencrypted client data through the post, or to use ‘password’ as a password. Sometimes, in the rush to get things done we forget the basics and cut corners, but when it comes to computer security it’s worth taking the time to follow the procedures even if they seem onerous, just in case.

______________________________________________________________

Anthony Dhanendran is the reviews editor of Computeractive