There have been many articles written that examine the risks posed of data being exposed and the potential damage caused. External threats have long been recognised, with billions of pounds spent strengthening defences to mitigate against them – yet there is little acknowledgement of the very real threat from within. The statement, “don’t leave your valuables on show,” is a simple principle. So why is it often ignored by Corporate UK?
It has been proven to be relatively easy to bribe someone on the inside – or even plant a rogue employee in the organisation – to gain access to sensitive data. But even if we leave this well-documented risk aside, how often has someone left your organisation taking company stationery with them? Do you know what else has been taken? Could they have sneaked out with sensitive material? What about a copy of the entire corporate database – and would you even know if they had?
20 ways to lose your data
1. Employees able to access a database regardless of their need to do so, with sight of complete records including information that they do not necessarily need to see.
2. Unrestricted downloading of the database to removable media.
3. Employees able to print individual records, or even the full database, in hard copy format.
4. Employees able to access records, in undefined quantities or for unlimited periods of time, providing the opportunity to make a written copy.
5. Records, or even the entire database, altered or deleted.
6. The full database, or individual files, emailed as an attachment.
7. The full database, or individual files, uploaded to an external storage facility/website or a hosted document storage and management solution.
8. Loss of external or portable media (memory sticks, CDs, laptops, etc) that contain unencrypted information, often during travel.
9. Misplaced, or stolen, devices (laptops, blackberries, etc) used as a back door to the corporate network.
10. Secure employment for the purpose of having unrestricted access to confidential data with criminal intent.
11. Existing employees being coerced into removing data for financial gain.
12. Ex-employees who have not had their access rights revoked.
13. Photocopy hard copies.
14. Over-the-shoulder screen theft from mobile workforce.
15. Writing down, or even sharing, passwords.
16. Hacked WiFi networks – even with passwords.
17. Use of non-alphanumeric passphrases and passphrases of eight or less characters which can be cracked in a few hours.
18. Use of unvetted external contractors or companies.
19. Use of vetted external companies on contracts without remediation/penalty clauses on responsibilities for when things go pear-shaped on the data security front.
20. Failure to use encrypted back-up storage media.
10 Ways to protect your data
So what can Corporate UK do? It may seem like a nightmare with so many trusted employees intentionally, or even inadvertently, putting your most vital asset – your data – in jeopardy. Yet there are ways to mitigate against these risks:
1. Restrict data access to only those employees who need it and limit what they can see, and what they can do, with the records.
2. Appropriately monitor employees’ behaviour, ideally setting control mechanisms to flag any significant deviations from the norm.
3. Employ a solution that can detect devices trying to connect to the enterprise and sync up with corporate data and force-encrypt information when it is removed, legitimately or illegitimately, from the safe environment of the corporate network.
4. Do not make unnecessary hardcopies of records or leave them unsecured.
5. Educate the mobile workforce to the risks posed by their activities and the devices that they use.
6. When an employee leaves, ensure all access rights are revoked immediately.
7. Never leave a written record of passwords.
8. Perform background checks on new employees, including contractors and any periodic workers. It may be prudent for these checks to be conducted at regular intervals to ensure that nothing has changed, as is the case for those working with children via the criminal records bureau.
9. Never leave data security up to the end user. It is imperative that this is controlled and managed centrally – which can also reduce TCO (total cost of ownership) as machines don’t need to be locked down or brought in to the office to update them.
10. Corporate governance – especially with the arrival of rules such as PCI DSS and the Companies Act – requires you now to have security and to be able to prove it. Use a solution that includes a central management console – that way every endpoint is protected and can be tracked.
By Tim Pollard, VP EMEA for Credant Technologies