How should organisations mitigate their risk of suffering a damaging data breach? Steve Smith, MD of security consultancy Pentura describes a stepwise approach to the problem
In the early 90s, a National Security Agency (NSA) official wrote a memo expressing concerns about how internal IT staff could be a security risk to the organisation – a risk that was realised 23 years later by NSA contractor, Edward Snowden who disclosed top secret documents to the press, which then went viral.
“It seems amazing that so few are allowed access to so much information – apparently with little or no supervision or security audits,” the official wrote, in a time when few had heard of the internet, email or had even used a personal computer.
Not every business harbours such a large volume of highly confidential information, but a majority have business-critical and sensitive data, whether it’s intellectual property, financial information or employee records. How many would want this type of information to get into the wrong hands?
The consequences of data leaks can be catastrophic in terms of damage to reputation, as well as financial losses such as imposed fines and lost revenues. It is estimated that each record leaked can cost around £80 (Taken from a 2013 Ponemon Institute study: Cost of Data Breach) to the business responsible; once you multiply that by tens of thousands of compromised records, the figure starts to look daunting.
So how should organisations protect their data and themselves against the risks of damaging data leaks and losses – whether accidental, or malicious? The solution is data loss prevention (DLP). However, many businesses have avoided deploying solutions to prevent data loss, because DLP implementation is often seen as complex and fraught with challenges, involving a series of in-depth investigative processes.
First, the information stored on an organisation’s servers and employees’ PCs needs to be audited and classified according to its sensitivity and confidentiality. Then the firm needs to evaluate its exposure to risk, and establish exactly what’s at stake should sensitive data leak. Finally, having taken these steps, the business needs to consider the measures needed to counter and manage those risks, in terms of employee training, establishing new policies, controlling access to material and protecting data by encryption or other means.
While at first glance this may seem like an onerous series of tasks, not all of the steps described have to be taken at once. In fact, many organisations may not need to implement more than a couple of these steps to protect themselves against major risks of data loss.
One piece at a time
The most effective data loss prevention strategy is to approach it in bite-sized portions. The first step is to discover what type of information the company holds, and what the consequences would be if different types of files and documents were to get into the wrong hands. This classification of data will help businesses to understand what their true risk of a breach is. The risk may be fairly low if a company doesn’t hold sensitive data other than that of their employees and, as a result, the need for a security solution may also be low.
In contrast, many organisations do carry information about clients and partners, as well as intellectual property which is highly sensitive, in which case solutions such as encryption and identity and access management may need to be deployed.
Who’s using your data?
The next step is to monitor how data is being accessed and how information flows around the business. Does remote working form part of business practice? Is confidential data put onto USBs, emailed, or posted to personal Cloud storage accounts? The answer will inevitably be yes, as businesses cannot function without sharing information; but just how sensitive is this data? Are your employees walking around with confidential data without any form of protection or even your knowledge of doing so?
Auditing how data is used in an organisation is challenging, so it’s often useful for businesses to work with an external consultancy to help with monitoring the data flows across their networks, and to recommend how data policies and procedures can be set up and managed to maintain security and enforce good practice.
Using people power
It is clear that staff can unwittingly be the weakest link in a business’ bid to protect its information, so in addition to IT security, it’s important that staff know what the do’s and don’ts are when it comes to sharing information. This applies to staff at all levels and at all stages of their career in an organisation. It should be part of the induction, and be on-going, even made part of personal development plans.
Training on such a dry subject can often be forgotten, resulting in a lack of compliance, so it’s a good idea to make it as practical and jargon free as possible and to make sure there is some form of measurement attached to ensure it has been done. A test at the end of the training is a good idea as this will also identify any gaps in understanding.
E-learning resources on data security issues – from use of removable media, appropriate use of email and social media applications, to phishing awareness – are available to help you harness one of the most effective solutions available to organisations: security-savvy staff.
While times have changed, and we all have access to computing power that was unimaginable back in 1991 when that NSA agent wrote his original report, the threat of data losses and breaches remains and is stronger than ever. But with a stepwise approach to DLP, protecting your information assets need not be onerous.