Nowadays, our personal and professional lives are heavily influenced by technology. Everything is going digital—from the cassette player to the picture frame. And whether a technology is designed to help us communicate, to take pictures, to listen to music, or to watch a movie, every gadget that we carry has the ability to store large volumes of data in digital form.
The ability to move massive amounts of information between traditional PCs and portable storage devices means that it is now incredibly easy for confidential data to be taken from companies without their knowledge or consent. Interestingly, the perpetrators of such crimes are rarely stereotypical hackers, attacking systems via the Internet from their mafia headquarters or their student dorms. Instead, the data thieves are frequently much closer to home. For example, unescorted visitors or temporary staffers that have joined the organization purely to copy data and hand it over to a competitor. Or, as is becoming increasingly common, unhappy staffers who are about to resign but think it is a good idea to first take copies of anything that might be useful in their new jobs. And lastly, innocent employees who simply do not follow security policy, copy work files to take home, and then lose their unprotected storage devices.
640 boxes of information in your pocket
In the days of Windows 1.0, Bill Gates famously said that no one would ever need more than 640 KB of RAM on their PCs. Today, you can buy a 16GB USB stick that fits on a key ring. Allowing for a generous 10 KB for a page of text, and assuming five reams of 500 sheets comprise a box of printer paper, we arrive at an interesting modern take on Bill’s original quote. You can now carry 640 boxes of information in your pocket alongside your keys to the office—plenty of capacity for someone to walk off with your sales database or the source code for your next product. As to whether anyone will ever need to carry even more, only time will tell.
Unguarded USB ports on today’s PCs are perhaps the biggest threat to corporate IT security. As well as the aforementioned USB pen drives, MP3 players, smartphones, and PDAs are fundamental tools of data thieves. Not only can such devices store tens of gigabytes of data, they can all be quickly connected to any PC via a USB cable without the need for any driver software to be installed—and therefore, without the need for thieves to be logged in as administrators. A few drags and drops, and the deed is done—typically, in just a few seconds. Where the amount of data to be stolen is beyond the capacity of an iPod or PDA, external USB drives comprising half a terabyte of storage are now available for less than $200.
USB not the only way to steal electronically
Of course, USB devices are not the only way to steal information electronically. Today, most mobile phones include a camera, which can be used to quickly make an electronic copy of a printed page. Pocket OCR wands and portable scanners offer similar facilities to the opportunistic data thief who stumbles across a confidential printed document. Or she could simply make a photocopy of a document and put it in the mail. However, using any of these methods to steal large volumes of data is simply not practical because of the time required. Controlling the use of USB devices is of far greater importance.
While the good-old disgruntled employee is a prime suspect in many data thefts, actions by former employees should also be considered in your data protection plans. Do you delete all your user accounts and passwords as soon as the corresponding employees leave the company or change departments? Failure to delete such information is just dangerous.
Three particularly effective data leakage strategies
To reduce the problem of data leakage in your company there are three particularly effective strategies to ensure that:
- You have a policy that clearly states who is allowed to take data off site and how the data must be protected when it is away from your premises
- Data does not leave the building without your knowledge
- Any data that needs to be removed from the building is protected so that it cannot fall into the wrong hands
Set up user accounts on servers, workstations
First of all, to control which data files leave your premises, set up user accounts on servers and workstations so that employees cannot access information that they have no need to see. For example, those in sales and marketing probably do not need access to the product development file server, so set the access permissions accordingly. However, overuse of rules and regulations can lead to low morale if the workforce feels that it clearly cannot be trusted. Beware of becoming seen as Big Brother. It will not drive data thieves away, just make them more determined.
Worth investing in a port control
In the second place, it is also well worth investing in a port control product that can automatically block USB devices from being connected to your systems without authorization. There are various such products available, such as Check Point Endpoint Security Media Encryption. This also includes transparent encryption, so that information copied to USB devices is automatically rendered inaccessible to thieves.
Although you will normally want to ensure that none of your confidential files leaves your premises, this will not always be the case. Sometimes, allowing staff to take files away is necessary and beneficial. Sales personnel need access to product information when they are away from the office, and marketing people often prepare PowerPoint presentations for delivery at external conferences and seminars. Your staff may need to take work home on weekends if they are particularly busy, and preventing them from doing so will deprive your company of some useful effort.
Vital to protect information off premises
Third, it is vital that you protect information that is taken off the premises. If a sales manager’s laptop is stolen from the trunk of her car, you need to be sure that the customer information on its hard disk cannot be accessed by the thief. If your marketing manager’s PDA goes missing while she’s at a conference, can you be confident that the document containing details of next year’s product launches will not be accessible to whoever buys the stolen hardware? The solution to this problem is encrypting data. There are many products on the market, but ensure that the solution you choose is proven, transparent, and automatic, eliminating user interaction and creating a fully enforceable solution that holds up to the most stringent compliance requirements. Deploying an encryption solution will improve the level of trust and loyalty of customers and employees who recognize that every effort is being made to protect their sensitive data and ensure that a lost or stolen device never results in a data breach.