Subscribe
About

Lock up your data

Companies must protect themselves against unintentional and malicious data leaks from within.
By Wayne Biehn
Johannesburg, 12 Dec 2007

It goes without saying that information security and information risk management have shifted focus from being solely "perimeter-centric" to being "information-centric", a data privacy and data protection focus that, by design, inherently pays attention to all directional flows for threats - inside-out, inside-inside and outside-in.

In this context, company information-centric security practices and methodologies need increasingly to move towards protecting against unintentional and malicious data leaks from within, commonly referred to as the "inside-out" or "internal threats".

Nowadays, our personal and professional lives are heavily influenced by technology. The ability to move massive amounts of information between traditional PCs and portable storage devices means it is now incredibly easy for confidential data to be taken from companies without their knowledge or consent.

IT theft

Interestingly, the perpetrators of such crimes are rarely stereotypical hackers, attacking systems via the Internet from their mafia headquarters or their student dorms.

Instead, the data thieves are frequently much closer to home. For example, unescorted visitors or temporary staffers that have joined the organisation purely to copy data and hand it over to a competitor. Or, as is becoming increasingly common, unhappy staffers who are about to resign but think it is a good idea first to take copies of anything that might be useful in their new jobs.

And lastly, innocent employees who simply do not follow security policy, copy work files to take home, and then lose their unprotected storage devices.

Unguarded USB ports on today`s PCs are perhaps the biggest threat to corporate IT security. As well as the abovementioned, USB pen drives, MP3 players, smartphones and PDAs are fundamental tools of data thieves. Not only can such devices store tens of gigabytes of data, they can all be quickly connected to any PC via a USB cable without the need for any driver software to be installed - and therefore, without the need for thieves to be logged in as administrators.

Where the amount of data to be stolen is beyond the capacity of an iPod or PDA, external USB drives with half a terabyte of storage are now available for less than $200.

Of course, USB devices are not the only way to steal information electronically. Today, most mobile phones include a camera, which can be used to quickly make an electronic copy of a printed page.

Data leaks

However, using any of these methods to steal large volumes of data is not practical because of the time required. Controlling the use of USB devices is of far greater importance. While the good-old disgruntled employee is a prime suspect in many data thefts, actions by former employees should also be considered in data protection plans.

To reduce the problem of data leakage, there are three particularly effective strategies. Ensure that:

1. The company has a policy that clearly states who is allowed to take data off site and how the information must be protected when it is away from the premises.

2. Data does not leave the building without the firm`s knowledge.

3. Any data that needs to be removed from the building is protected so that the information cannot fall into the wrong hands.

Protection

While the good-old disgruntled employee is a prime suspect in many data thefts, actions by former employees should also be considered in data protection plans.

Wayne Biehn is product and technology director at SecureData.

First, to control which data files leave the premises, set up user accounts on servers and workstations so that employees cannot access information that they have no need to see. However, overuse of rules and regulations can lead to low morale if the workforce feels it clearly cannot be trusted.

Another security consideration is to avoid being seen as Big Brother. It may not drive data thieves away, just make them more determined. In the second place, it is also well worth investing in a port control product that can automatically block USB devices from being connected to systems without authorisation.

Third, it is vital to protect information that is taken off the premises. Although companies will normally want to ensure none of their confidential files leaves the premises, staff sometimes do need to take work home.

If an employee`s laptop is stolen from the trunk of her car, ensure the customer information on its hard disk cannot be accessed by the thief. If an employee`s PDA goes missing while they are at a conference, can the company be confident that the document containing details of next year`s product launches will not be accessible to whoever buys the stolen hardware?

The solution to this problem is encrypting data. There are many products on the market, but ensure the selected solution is proven, transparent and automatic; that it eliminates user interaction and creates a fully enforceable solution that holds up to the most stringent compliance requirements.

* Wayne Biehn is product and technology director at SecureData.

Share