- Security TWENTY
- Women in Security
Dr Guy Bunker, pictured, SVP of Products at the data loss prevention product company Clearswift, offers three ways staff are threatening businesses.
As an organisation, you will be more than aware of data loss threats and the risk that they cause to business. But, have you ever considered the risk from receiving an email by mistake? Or how an automated backup and freebie USB sticks could result in a large fine? In a world of increasing legislation and regulation, the old adage of “ignorance is bliss” is not useful, especially when it comes to data. So, outlined below are the top three issues which you probably have now, but haven’t thought about yet, let alone addressed. Left unchecked, these risks can come back and bite you and your business, with the potential of a significant fine for a compliance breach.
The most common way an employee can acquire unwanted sensitive data is by receiving it in email. Someone has sent it in error – and there is often a note shortly afterwards saying “Please delete the email I just sent, it was a mistake.” While this can be embarrassing if it’s an internal email, if it has come from outside, then action needs to be taken to minimise the risk. If the employee just deletes the contents without notifying the appropriate department who can properly ‘cleanse’ the email and archive systems, that sensitive information remains stored on the corporate network. This leaves the organisation vulnerable to additional costly work or even compliance fines when it comes to GDPR or PCI DSS should the matter surface later through an audit check or a ‘right to be forgotten’ request.
2. Personal Devices
Another unwanted sensitive data risk scenario is where employees connect unauthorised personal devices (e.g. external hard drives or USBs) to company systems. I’m the first to admit that freebie USB sticks from conferences are extremely useful. However… employees can copy or acquire sensitive data onto their unauthorised device (which most probably isn’t encrypted,) which can then be lost or stolen and create a data breach. Allowing sensitive corporate data to be copied onto devices which are outside corporate monitoring and control creates a major data breach risk which is no longer acceptable. While a company policy may exist “Don’t use unauthorised devices to access corporate data”, there is a need for enforcement.
3. Unauthorised Software Applications
Many organisations allocate company equipment and devices (laptops, mobile phones etc.) to employees to enable them to work remotely. For laptops, the same security and software programmes are generally deployed on all devices in accordance with company policy. However, many companies do not properly monitor devices, especially mobile phones to ensure company security policy compliance. Employees often download applications to make their job easier – but this can create risk if they are not vetted or approved by the IT team. For example, the automatic backup of company contacts into the cloud, or applications which have access to contacts and photos in order for them to be shared. This results in critical information being uploaded and stored in unknown and unauthorised locations, particularly in the cloud. Once again, there is potential here for organisations to suffer a compliance breach as they are unable to discover and appropriately secure the data. Furthermore, when the individual leaves an organisation, they will continue to have access to the company information that they uploaded to the cloud which is a serious business risk and makes it impossible to remain compliant.
None of the these data security issues are new or unique and while there are a number of risks involved with working remotely, less than half of organisations actually enforce data encryption policies on mobile/remote devices. Improving security is not just about technology. It’s important to ensure that employees are aware of the risk they could face working remotely and on non-corporate devices including the ways in which sensitive data might be acquired and stored. Educating employees on how to prevent issues such as unauthorised data acquisition is key to improving the risk posture. Awareness on other security issues including data breaches, phishing, business email compromise (BEC) and malicious inbound threats such as ransomware hidden in a weaponised document also need to be covered.
Businesses must have policies and processes in place that encourage secure behaviour. For example, allowing employees to only access company sensitive information on company-approved devices will limit risks of data ending up in unknown locations. There also needs to be a process to follow should an employee receive sensitive data by mistake in order to minimise the future risk it could create.
Technology needs to be implemented to enforce policies and processes and to protect employees and the business. Deploying solutions that can automatically discover critical data stored across a company network and apply the security measures demanded by industry regulations is now crucial. As organisations adapt to changing business practices, the number of risks that need to be mitigated will increase. Staying ahead of the curve can be daunting, but it needs to happen – and this isn’t a one-off effort, it is a program of constant improvement. While technology can be deployed to act as a safety net, it is not a silver bullet to solving all security risks. It is when technology is combined with educating employees and having solid company policies in place that the risks can be truly mitigated.