Almost daily the media share stories of confidential information being disposed of in park bins, laptops found in taxis and passwords published on the internet. While this is undoubtedly concerning, the findings from a study on data leakage have suggested that the data loss resulting from employee behaviour poses a much more extensive threat than many IT people believe. So writes Mike Howie, Information Security Consultant, CS Risk Management.
Historically, data was deemed secure within the physical perimeter of an organisation however technology continues to change the landscape on daily basis. Take, for example, a 4GB key ring sized USB device capable of storing 10,000 word documents. These USB devices make it easier for data to trickle out beyond the perimeter. The changes in technology and internet usage make it a near impossible task for data security to be the responsibility of one or selected members of staff.
Data leakage through hackers exploiting known vulnerabilities is well publicised. Less so is the threat from employees discussing projects on trains or in airport lounges unknowingly providing competitors with confidential information.
Deterring the discussion of sensitive information in public is by no means a new idea – the World War Two ‘loose lips and careless talk’ propaganda posters clearly convey the message. Although the threat today may not seem as tangible, consider the implications for a small company who lose a key project after a competitor happens to eavesdrop on a conversation.
Protection, protection, protection
Data capture by hackers can occur through employees using unapproved applications on corporate networks. Personal emails are the most common application followed closely by online banking and shopping. These applications pose a risk as they are rarely monitored and non-compliant with company security standards.
The risk from employees occurs where they use laptops or smart devices to access company information. There is the risk that these devices will be left on a train for example. Whilst access to most company laptops is protected by user name and password requirements, all too often smart devices, such as ipads or Blackberrys, are unprotected and the information on the device can therefore be accessed easily.
There are a number of steps that can be taken to tackle data leakage, including:
•Create training that is suitable and applicable to the employees – one size does not always fit all;
•Establish and maintain a culture of data protection, this includes everyone having personal responsibility;
•Continuously evaluate the risk and changes to circumstances to maintain an understanding of the threat;
•Enforce encryption on mobile devices and only authorise use of smart devices if they have password protection;
•Provide tools that enable data security including regular awareness briefings – verbal & written;
•Ensure Security policies are appropriate, communicated and enforced – keep them simple and universally comprehensible; and
•Executives and senior management should serve as an example of data security good practice.
There is no magic pill or single solution to data leakage as the threat is often executed by individuals who may not understand the implications of their actions. Therefore the challenge is to make the awareness understandable and memorable, resulting in opportunities for leakage to be reduced and media stories of people mislaying laptops or smartphones avoided.
CS Risk Management is exhibiting at Infosecurity Europe 2013, the information security industry event on April 23 to 25, 2013 at Earl’s Court, London. The event provides a free education programme, and exhibitors showcasing new and emerging technologies. For further information – visit www.infosec.co.uk.
