IT security: have data? Will travel
Leaking data - what are you doing about it?
Have data? Will travel
Insiders are misappropriating your organisation's data in every way they can, but should you try to prevent all of it? The key is to determine which leaks are worth worrying about.
Just when organisations felt they were gaining the upper hand in their defence against external IT security threats, comes a rise in problems caused by internal risk factors.
Often termed the 'enemy within', malicious hacks on the enterprise system launched from the system itself remain in the minority compared to instances of data leakage - the unintentional and/or illicit loss of secure information into an insecure environment.
According to research by Trend Micro data leaks have become a top source of headaches for UK, US, German, and Japanese companies; and it's not just publicised breaches like the mislaid HMRC CDs, or the lost MoD laptop last January that are fanning the flames of concern. Organisations that bother to check are finding that considerable quantities of data are trotting out through the staff entrance.
Trend's Corporate End User Study 2008, which surveyed 1,600 corporate end-users, found that the loss of proprietary company data and information was ranked as the second most serious threat at work, following viruses. Respondents considered this to be 'more serious' than most other threats such as spam, spyware, and phishing.
Many blamed and shamed when it comes to corporate data leaks. While 6 per cent of end-users admitted to having 'leaked' company information, 16 per cent believe other employees caused data leaks.
The reasons why data leaks out of an organisation vary. Sometimes the data leaves as part of standard business practice, sometimes it is misappropriated on the off-chance that it might have some value to the filcher or to competitors; some data is probably filched just because it is there.
The rise could also be partly due to the fact that many organisations have started to take data leakage more seriously since the headline stories of data loss over the last two years. The headline scandal stories may also be turning the heads of staff who hitherto would not have thought of using their access to corporate data for illicit purposes.
What is sure is that staunching internal data loss poses as big a challenge as attacks by outsiders. "The risk-split used to be 80-20 in external's favour," says Andy Jones, principle research consultant at industry body the Information Security Forum (ISF). "Now I'd say it's more 50-50."
The proliferation of technologies that enable easy data transport makes misappropriation a doddle. Lost laptops and optical media (CDs and DVDs) are well publicised (although wider awareness hasn't halted the laptop problem - research by the Ponemon Institute suggests that 175,000 laptops go missing in Europe's major airports each year); the potential for storage devices like USB sticks and MP3 players to be used for data theft poses bigger problems for IT security administrators.
And don't forget Web email, which enables employees to attach unprotected files from insecured corporate drives to external mail accounts accessed via company browsers. Just like external threats, internal data leakage is a confluence of different and often disassociated factors at play.
With the rise of the mobile enterprise and working practices that leave employees spending less time tied to the base office, levels of data leakage are bound to worsen, predicts Gil Sever, CEO at Safend. And the problem does not stop just because people are on vacation.
"More and more corporate workers - from senior execs to office administrators - are making 'disconnected holidays' a thing of the past, and no longer leaving productivity tools at home, making themselves accessible and business-aware even while traveling," he says. "As the number of vacationers taking their laptops and devices poolside increases, so does the risks to corporate data."
Faced by this panoply of potential breaches, data owners "have to be realistic", says the ISF's Andy Jones: "In truth they should expect data to leak. So many routes out of the building exist that it's impossible to stop it. Addressing the problem lies in deciding which data loss you can live with, and which data loss hurts the business."
Rather than expend expensive resources in lockdown procedures, organisations should first apply a value to their data assets, so that their 'crown jewels' can be identified and be most protected. Then values can be applied to surrounding data by association. But, adds Jones, most organisations are remissive toward classifying their data: "The state of the art is poor. Data classification is not that sexy, to be honest, and it can prove difficult to get colleagues excited about a business case for valuing data. There's just too much of the stuff, and the task is too daunting."
When this happens it's easier to address the problem by focusing on technological palliatives, argues CA's Mike Small, because data leakage should be seen as a business problem to be addressed by business processes - and not by the IT function. "Take access privileges. Discriminating between mandatory access and discretionary access is a business issue: yet often it is the IT administrator who assigns status."
Tackling internal risk management issues such as controlling senior staff's previously unchallenged access to critical information and also privileged access for company administrators is difficult: "These are often not properly managed but both are a potential risk to the business," Small avers. "Data leakage happens at all levels [of the corporate hierarchy]. You have to decouple access from status."
An associated thorny issue to beware of is 'entitlement creep', where staff change role within an organisation, but their existing entitlements remain, allowing continued system access to data which is no longer pertinent to their new role. CA's Small says that IT departments could do much to reduce data leakage by shoring-up internal IT security procedures with the practice standards of ISACA's COBIT IT governance standards, as well as those of an ITIL IT service management documentation. "Implementing these tools would go a long way to staunching data leakage," he believes.
Kaspersky® Internet Security package worth £40!
E&T magazine is teaming up with leading information security solutions provider Kaspersky Lab to offer our readers the chance to win ten copies of its newly-launched Kaspersky® Internet Security 2009 one user/one year worth £40 each, plus 25 limited-edition Eugene Kaspersky 'Viruses No pasarán!' T-shirts.
Kaspersky Lab's award-winning technology provides home PC and laptop users with all-in-one security for worry-free computing. With hourly updates, high detection rates, and free telephone technical support, Kaspersky® Internet Security 2009 features a
new antivirus engine for dramatically improved protection, performance, and reliability - and a new user interface now makes these products easy to use.
All you need to do to enter the competition is send in the correct answers to the following three security-related questions:
1: What decade did PC viruses in the wild emerge?
- A 1970s
- B 1980s
- C 1990s
2: What was the name of the virus that Kaspersky Lab has launched an international initiative to stop?
- A Gpcode
- B Storm botnet
- C MyDoom
3: Which UK bank has recently offered Kaspersky Lab software to its online customers as a free download?
- A Abbey National
- B Barclays
- C First Direct
- Posting your entry to Jackie Herbert, Kaspersky Competition, IT Section, E&T magazine, Michael Faraday House, Six Hills Way, Stevenage, Herts SG1 2AY, UK.
- Email your entry to email@example.com - we'll print them out on receipt.
The deadline for receipt of entries is Monday 29 September 2008.
Please include your name, postal address, email address, and contact telephone number.
The correct entries will go into a random draw made by the IT section editor. The first ten correct entries drawn win a factory-fresh, shrink-wrapped copy of Kaspersky Internet Security 2009, plus a 'Viruses No pasarán!' T-shirt (one size). The next correct 15 entries drawn will receive a T-shirt only. Winners will be notified by Friday 10 October 2008. For the purposes of this competition the Editor's decision is final.
Terms and conditions:
By entering, all eligible entrants agree to abide by each and all of these terms and conditions. Entries are limited to one per household. Entries will only be eligible if the questions are correct according to the answers confirmed by Kaspersky Lab, and include the entrant's full name, postal address, email address, and contact telephone number. All winning entries will be verified for authenticity before prizes are released. This competition is not open to the employees of the Institution of Engineering and Technology or Kaspersky Lab, or their families. Winners may be required to submit valid identification before receiving their prize. Emailed entries will be sent an acknowledgement of receipt by email within 24 hours. The IT Section Editor's decision is final. No correspondence or communication will be entered into regarding the results, terms and/or conditions of the competition. The winners will be notified within seven days of the closing deadline. IET Services reserves the right to exclude entrants and withhold prizes, for violating any of these terms and conditions. Entrants' details will not be used for marketing purposes by the IET or Kaspersky Lab.
|To start a discussion topic about this article, please log in or register.|
"Is augmented reality the next big thing or a marketing gimmick? Is it fundamental to the future or a fashion faux pas?"
- Fukushima Daiichi Unit 3 5th Floor Highly Radioactive Debris [03:09 pm 17/05/13]
- Cluster formation on cooja simulator [01:59 pm 17/05/13]
- DSLAM Power Consumption [01:58 pm 17/05/13]
- English is not my first language. [01:23 am 17/05/13]
- Transport 2020 [09:35 pm 16/05/13]
Tune into our latest podcast