CBR talks to Ironkey's boss about whether the new ICO rules are a 'joke' and keeping ahead of the bad guys
CBR talks to Ironkey's boss about whether the new ICO rules are a 'joke' and keeping ahead of the bad guys.
Can we start with a round-up of Ironkey and its business?
We've effectively got three products lines, all based on the Ironkey device, a multi-function USB security device.
We have a secure storage business with data protection, that's our core base business, so when companies want to issue these to their users so that when they're travelling or taking data home it's all encrypted. You can use it on Windows, Mac and Linux without installing software and you can't screw it up and use it without encryption for example. So the core business is hardware encrypted storage, which plays really well with the new ICO rules. We have an enterprise version that is remotely managed, so IT admins can do things like enforce password strength or issue a kill command over the internet. That helps with compliance.
We also have a consumer business that offers data and identity protection on the internet because the [USB] device is also an authentication device. It comes with a Firefox browser installed that connects to Secure Sessions, which encrypts all your data as it goes over the internet. We also protect all the DNS information so you would be protected if someone compromises the DNS to route you to a fake bank or eBay.
The third and final business unit is called Trusted Access which is targeted at people who do online banking. Criminals used to do a lot of phishing for passwords and so on but now they've realised the real money is in the corporate bank accounts. A consumer could net them £500 or so but a corporate could net them up to £1m. Trusted Access adds a layer of virtualisation and a virtualised OS with a secured browser. It creates a secure, protected environment around you, even if the machine is infected.
What sort of sectors do you pull your clients from?
A lot from the financial services sector, but anyone with personal information and data they want to protect. Over here we work with Northern Ireland Civil Service, because they have a lot of citizen and healthcare data. We also work with a lot of NHS departments and hospitals.
And what are the big challenges they are facing at the moment?
Data protection is a big driver at the moment, from medium-sized business to governments. In the UK there is more awareness about it because of the new ICO rules and the increased press coverage.
What do you think of the ICO rules?
I think there is a lot of concern that maybe there isn't enough teeth in the law yet. The amount they can fine companies... it's a number that sounds big but when you look at fines that seemed to make a difference they tend to be much larger. £500,000 is not that big a deal for a big company when they would spend a lot more than that protecting themselves. In the States there was a data breach at Heartland Payment System and they were fined over $10m, and that starts to make a difference. The Heartland CEO and CIO now go around telling other companies their tale of woe and how they should approach security. That's had a real impact; maybe the UK needs to get to that level.
Do you think attitudes will change once the first fine is handed out?
Absolutely. I think at the moment people think it's almost a joke; there are so many data breaches and nothing's being done about it.
One of the questions that needs addressing is: What is the ICO going to do about public sector government organisations that have data breaches? Is the government going to fine itself? It's not a profit and loss centre, so I don't know how it's going to work.
What would you have done differently if you'd help set up the rules?
I would have put in tiers of fines with no cap on the amount. I'd tie it to the number of users or data that was exposed. I also think it should escalate so if you are breached more than once the fine increases. There should also be a programme which says that after an incident you have to implement certain guidelines and if you don't there is a further fine or sanction. Just charging people money isn't necessarily going to change anything.
The constant stories about lost USBs or laptops must make you very depressed, as a security guy.
People are dumb, and they're not being trained. IT departments need to take action, put in place multi-year programmes about rolling out and using devices. It's not happened too much because people have had different priorities. But whereas it used to be about keeping the bad guys off the network that is changing now to a more internal approach. The fact that more and more people are working remotely is adding to that. It changes the attack surface - where is the edge of the network? There almost isn't one now.
The idea of remote working also raises the question of mobile devices. How do you protect them?
It's one of the research areas we're working on at the moment - brining Ironkey-like security to a mobile. With more banking being done on phones we need to start looking at what the bad guys will do.
Talking of the bad guys, it must be strange to always be chasing them, wondering what they will do next.
We try to put a two year roadmap on what we think they're going to do. We look at the velocity of how they've changed and become more professional over the last five years and extrapolate that out.