With the rapid advances in technology and the attendant interconnected nature of computer systems, many business owners are becoming increasingly aware of the dire need to control the flow of information into, through and out of their enterprises.
For years, the focus of the business owner was on how to stop viruses, spam, network intrusions etc. Now the new threat is massive data leakage. This new threat affects all kinds of businesses large and small. According to a recent International Data Corporation (IDC) report, over 80 percent of respondents to a survey acknowledged that the fear of data loss and leakage was one of the biggest challenges facing their establishments. Of these, over 50 percent admitted that they were already victims of data leakage incidents.
Data leakages can happen in a variety of ways, but the most prevalent in a business environment are through corporate emails, lost and/or stolen laptops and desktops, web-based email services like Yahoo!, GMail etc., instant messaging, lost and/or stolen mobile devices (Blackberry, iPhone, Windows Mobile Smartphones etc.) and portable media devices like USB flash drives/Thumb drives, online storage services, writable media like DVDs and CDRWs. How many corporations know that their sensitive data is sitting on Yahoo!, Microsoft and Google servers? A lot of these find their way there because users want “mobile” email where they cannot afford a blackberry, for example. So it is very easy to forward corporate emails to these web-based email clients.
Data leakages can be devastating to the reputation and integrity of a business. It leads to bad publicity, loss of good clients and customers, and in some extreme cases, it can lead to the demise of the business. We have all read and seen the constant news of one government agency, retail business, educational institution and big financial conglomerates being humbled by incidents of data loss or leakage.
A few examples:
- an email containing critical data about faculty and staff members of Ohio State University Agricultural Technical Institute was accidentally sent to students.
- There have numerous reports of people buying PDAs online only to find a treasure-trove of confidential corporate data on those devices.
- The bank of Ireland lost the personal information of hundreds of customers by an employee who copied the data to a USB drive.
- A government agent in the UK accidentally left secret documents on a commuter train.
- The TJ Max fiasco.
- The Veteran Affairs case of stolen laptops.
The fact of the matter is that increasingly, today’s business environment is becoming very difficult to protect. This is because there are in most organizations, too many points of data entry into and out of the corporate environment. Add to that the increasing use of social media networking tools, blogs etc. and you have a major pain point for many organizations. Thus, the traditional mechanisms for protecting corporate data like firewalls, Intrusion Detection Systems (IDS), network rules etc. are increasingly becoming inefficient and insufficient.
Several security vendors have been working hard to offer solutions which seem to be okay in theory but fall flatly short in the real world. For one, many companies and organizations are heavily decentralized and do not have a central data classification system. This makes it very difficult to manage such data. In addition, many users, especially the top level executives in many organizations are very reluctant to allow “restrictive” policies to be put in place that may deny them access to certain areas of the network. In many companies, users are very skeptical of the installation of software that “tracks” their activities.
But the greatest obstacle is the ability and resources to devise and implement a comprehensive and viable data protection policy that is not in the way of organizational productivity, especially if it involves several departments like human resources, finance/accounting, legal and business unit managers.
To combat data loss and leakage, organizations should start with the formulation and enforcement of an Acceptable Use Policy or AUC followed by a well-rounded educational campaign to elicit employee buy-in. The AUP in very simple terms spells out for the employee how they can use the organization’s resources (physical and intellectual), offer advice on best practices and highlights behaviors that are prohibited. The policy should cover things like email usage, the use of message boards, storage of sensitive information etc.
While many companies are working on developing integrated solutions for the prevention of data leakage, corporations and organizations can do a few things to stem the loss of critical data:
- Use endpoint protection software that can manage write access to portable devices.
- Use encryption on portable devices for those that need to carry them around so that if the devices are lost or stolen, at least the data is potentially safe.
- Ensure that devices connecting to the network, (VPN endpoints, laptops, remote desktops etc.) are compliant with the organization’s Acceptable Use Policy and security policy.
- Block P2P or Peer-To-Peer traffic and other file sharing connections.
- In security sensitive environments, prevent the use of FTP clients, Instant Messaging, social media networks, unauthorized email clients, wireless network connections, smart phone synchronization.
- Use content scanning software at the gateway or network perimeter. This can be rule-based so that it identifies specific keywords and patterns like social security numbers and certain kinds of attachments.
- Use content scanning tools at the network perimeter to prevent malware from infecting the network.
- Prevent the download and installation of certain file types through the blocking of specific file extensions. There are software that can do deep scanning so that even if the user changes the file extension, the content scanner will still prevent the download of such files.
- Block access to inappropriate websites like social media sites and free web-based email client sites.
- Prevent the use of Instant Messaging clients unless it is monitored by the organization and users are aware that such communication is being monitored (AUP).
- Perform full disk encryption where possible on laptops and removable/portable devices like USB sticks and drives
- Use email encryption. Many companies provide affordable and transparent email encryption tools.