How to protect data - a quick reference
The ability to move massive amounts of information between PCs and portable storage devices means that it's now incredibly easy for confidential data to be taken from companies without knowledge or consent.
The perpetrators of such crimes are rarely stereotypical hackers, attacking systems via the internet from their mafia headquarters or their student dorms. Instead, the data thieves are frequently much closer to home. Unescorted visitors, for example, or temporary staff who have joined the organization purely to copy data and hand it over to a competitor. Or, as is becoming increasingly common, unhappy staff who are about to resign but think it's a good idea to first take copies of anything which might be useful in their new job. And lastly, innocent employees who simply don’t follow security policy, copy work files to take home and lose the unprotected storage device.
Unguarded USB ports on today's PCs are perhaps the biggest threat to corporate IT security. USB memory sticks can typically store up to a gigabyte of data, but an MP3 player, smartphone or PDA can be just as effective for the data thief as they can all be quickly connected to any PC via a USB cable without the need for any driver software to be installed (and therefore, without the need for the thief to be logged in as an administrator).
A few drags and drops, and the deed is done in a few seconds. Where the amount of data to be stolen is beyond the capacity of an iPod or PDA, external USB drives comprising half a terabyte of storage are now available on the high street for less than a hundred pounds.
USB devices aren't the only way in which information can be stolen electronically, of course. Most mobile phones nowadays include a camera, which can be used to quickly make an electronic copy of a printed page.
Pocket OCR wands and portable scanners offer similar facilities to the opportunistic data thief who stumbles across a confidential printed document. Or he could simply make a photocopy of a document and put it in the post. However, using any of these methods to steal large quantities of data is simply not practical because of the time required. Controlling the use of USB devices is of far greater importance.
While the disgruntled employee is a prime suspect in many data thefts, actions by former employees should also be considered in your data protection plans. Do all of your users’ accounts and passwords get deleted as soon as the person leaves the company or changes department? Failure to delete such information isn’t just dangerous, but might also mean that you fall foul of the Data Protection Act by storing personal information that you do not need to retain.
To reduce the problem of data leakage in your company there are three effective strategies. First, ensure that you have a policy which clearly states who is allowed to take data off-site, and how the data must be protected when it’s away from your premises.
Second, ensure that data doesn't leave the building without your knowledge. Finally, ensure that data which needs to be removed from the building is protected so that it can’t fall into the wrong hands.
To control which data files leave your premises in the first place, set up user accounts on servers and workstations so that employees can't access information which they have no need to see. Those in sales and marketing, for example, probably don't need access to the product development department's files on the server, so set the access permissions accordingly.
Over-use of rules and regulations can lead to low morale, however, if the workforce feels that it clearly can't be trusted. Beware of becoming seen as Big Brother. It won't drive the data thieves away, but simply make them more determined.
It's also well worth investing in a port control product such as my company's Pointsec Protector, which can automatically block USB devices from being connected to your systems without authorization. The software also includes transparent encryption, so that information copied to USB devices is automatically rendered inaccessible to thieves.
Normally you will want to prevent confidential files leaving your premises, but this won't always be the case. Sometimes, allowing staff to take files away is necessary and beneficial. Salespeople need access to product information when they're away from the office, and marketing people often prepare PowerPoint presentations for delivery at conferences and seminars. Staff need to take work home at the weekend if they're particularly busy, and preventing them from doing so will deprive the company of some useful effort (not to mention all that unpaid overtime).
It's absolutely vital that you protect information which is taken off the premises. If a sales manager's laptop is stolen from the boot of her car, you need to be sure that the customer information on its hard disk can't be accessed by the thief. If your marketing manager's PDA goes missing while he's at a conference, can you be confident that the document containing details of next year's product launches won’t be accessible to whoever buys the stolen hardware?
The solution to this problem is encrypting data. There are many products on the market, but ensure that the solution you choose is proven, transparent and automatic, eliminating user interaction and creating a fully enforceable solution that holds up to the most stringent compliance requirements. Deploying an encryption solution will improve the level of trust and loyalty of clients and employees who recognise that every effort is being made to protect their sensitive data and ensure that a lost or stolen device never results in a data breach.