Newsletter - May 2008

Secure Data Transfer - How to stay out of the headlines and keep your customers’ confidence
By Jon Abbott, Technical Director

Barely a week seems to pass without another government agency or major company finding its people, processes and professionalism under fire as yet another batch of confidential personal data is misdirected, misused or misplaced. Embarrassed executives are pilloried as they struggle to explain why their organisation has such poor control over the information entrusted to it by its clients.

So what can you do to stop your company’s name being added to this Roll of Dishonour?

At the highest level, you should have a clearly-defined and well-understood Data Protection Policy, in which the organisation’s compliance to the Data Protection Act 1998 is enshrined and which all data storage, access and retention processes must reference.

When working with other organisations with which you exchange data, a sensible first step is to review their Data Protection Policy and associated process documents to ensure that information that they provide to you has been sourced and processed legally, and to satisfy yourself that information that you provide to them will not be misused or disseminated.

In practise, the greatest threat to the security of your data is at the point of transfer, and there are three key steps that can be taken to mitigate likely breaches: data encryption, secure transportation and staff training.

Any confidential data transferred to or from your organisation should always be encrypted: modern encryption technology will render the data unreadable to all bar the intended recipient unless they are in possession of a large amount of time and computing power. So even if a CD labelled “Ministry of ABC National Personal Database” were accidentally left on a train, nobody would be able to make use of the data.

The OpenPGP standard - a widely-supported public-key encryption methodology – provides excellent security and ensures that only the intended recipient will be able to decode and read the data files. The Gnu Privacy Guard software offers an easy-to-use OpenPGP implementation and is the tool Matrix-Data selected to ensure the security and integrity of file transfers between itself and its clients.

If the installation of a separate software package to guarantee data security is seen as overly complex and hard to maintain, the widely-used compression tool WinZip has provision to encrypt files as they are added to a compressed archive: the user is prompted for an encryption password which the recipient of the data must also possess in order to access the data.

If your data is held as Microsoft Office files, there is the provision to password-protect files to deny access to unauthorised users. However, so many “Office password recovery” programs exist that this method provides the illusion of protection rather than any real security and should not be relied upon.

The transfer method itself can also give rise to security issues: mistyped email addresses, incorrectly addressed postal deliveries, or assuming a guarantee of delivery which does not exist are they key problems here.

By using a file transfer mechanism rather than sending data as an email attachment, it is possible to confirm that your data has been fully transferred to the recipient’s system. It is also possible to ensure that a variety of technical access restrictions can be applied to ensure that only specific individuals (or the computers on which they are working) can transfer the data. Matrix-Data operates a Secure FTP (SFTP) Server as its recommended method for data transfer between itself and its clients.

Some corporate networks forbid the use of FTP software, so this may not always be an immediately viable solution, and email will be used to transport the data. With a little advanced planning, email can be an effective and reasonably secure data transport solution:

• set up the recipient’s address in your address book, and always use the address book rather than manually typing the address when sending data;
• notify the recipient in advance that you intend to send them data, and do not send the data until they confirm that they are ready to receive it;
• request a confirmation of safe receipt from the person receiving the data (rather than relying on an automated email read-receipt);
• if you are sending a password-protected file, always send the password in a separate email or - better still - notify the recipient of the password over the phone to avoid creating a record of the password on any electronic system.

If the volume of data to be transferred is so large that email is not appropriate, a courier or tracked postal service should be used. Address and recipient details should be double-checked prior to despatch, and reconfirmed with the delivery agent.

Ultimately, the most important part of having a secure data transfer policy is your staff. Without adequate training, properly supported processes and a clear drive and commitment to data security from the highest level, there is a distinct danger that your staff will treat the transfer of data as a routine, mundane task to which no significant thought or care needs to be applied. The regular press horror stories should be highlighted as examples of what can happen when just one person takes a shortcut, ignores a process or avoids a control.

A reputation can take many years to win and one minute to lose: with a little thought and planning you should be able to uncross your fingers, hang up your rabbit’s foot and have the confidence to say: “That would never happen here.”

If you would like more information regarding our Data Security Policy please contact info@matrix-data.co.uk or call 020 7074 1200.