CD in drive

IT security: have data? Will travel

Data is leaking out of your organisation by hook or by crook: but how much of it is really worth worrying about? Plus: Win Kaspersky Internet Security software worth £40 in our competition.

Just when organisations felt they were gaining the upper hand in their defence against external IT security threats, comes a rise in problems caused by internal risk factors.

Often termed the 'enemy within', malicious hacks on the enterprise system launched from the system itself remain in the minority compared to instances of data leakage - the unintentional and/or illicit loss of secure information into an insecure environment.

According to research by Trend Micro data leaks have become a top source of headaches for UK, US, German, and Japanese companies; and it's not just publicised breaches like the mislaid HMRC CDs, or the lost MoD laptop last January that are fanning the flames of concern. Organisations that bother to check are finding that considerable quantities of data are trotting out through the staff entrance.

Trend's Corporate End User Study 2008, which surveyed 1,600 corporate end-users, found that the loss of proprietary company data and information was ranked as the second most serious threat at work, following viruses. Respondents considered this to be 'more serious' than most other threats such as spam, spyware, and phishing.

Many blamed and shamed when it comes to corporate data leaks. While 6 per cent of end-users admitted to having 'leaked' company information, 16 per cent believe other employees caused data leaks.

The reasons why data leaks out of an organisation vary. Sometimes the data leaves as part of standard business practice, sometimes it is misappropriated on the off-chance that it might have some value to the filcher or to competitors; some data is probably filched just because it is there.

The rise could also be partly due to the fact that many organisations have started to take data leakage more seriously since the headline stories of data loss over the last two years. The headline scandal stories may also be turning the heads of staff who hitherto would not have thought of using their access to corporate data for illicit purposes.

What is sure is that staunching internal data loss poses as big a challenge as attacks by outsiders. "The risk-split used to be 80-20 in external's favour," says Andy Jones, principle research consultant at industry body the Information Security Forum (ISF). "Now I'd say it's more 50-50."

The proliferation of technologies that enable easy data transport makes misappropriation a doddle. Lost laptops and optical media (CDs and DVDs) are well publicised (although wider awareness hasn't halted the laptop problem - research by the Ponemon Institute suggests that 175,000 laptops go missing in Europe's major airports each year); the potential for storage devices like USB sticks and MP3 players to be used for data theft poses bigger problems for IT security administrators.

Mobile risks

And don't forget Web email, which enables employees to attach unprotected files from insecured corporate drives to external mail accounts accessed via company browsers. Just like external threats, internal data leakage is a confluence of different and often disassociated factors at play.

With the rise of the mobile enterprise and working practices that leave employees spending less time tied to the base office, levels of data leakage are bound to worsen, predicts Gil Sever, CEO at Safend. And the problem does not stop just because people are on vacation.

"More and more corporate workers - from senior execs to office administrators - are making 'disconnected holidays' a thing of the past, and no longer leaving productivity tools at home, making themselves accessible and business-aware even while traveling," he says. "As the number of vacationers taking their laptops and devices poolside increases, so does the risks to corporate data."

Faced by this panoply of potential breaches, data owners "have to be realistic", says the ISF's Andy Jones: "In truth they should expect data to leak. So many routes out of the building exist that it's impossible to stop it. Addressing the problem lies in deciding which data loss you can live with, and which data loss hurts the business."

Rather than expend expensive resources in lockdown procedures, organisations should first apply a value to their data assets, so that their 'crown jewels' can be identified and be most protected. Then values can be applied to surrounding data by association. But, adds Jones, most organisations are remissive toward classifying their data: "The state of the art is poor. Data classification is not that sexy, to be honest, and it can prove difficult to get colleagues excited about a business case for valuing data. There's just too much of the stuff, and the task is too daunting."

When this happens it's easier to address the problem by focusing on technological palliatives, argues CA's Mike Small, because data leakage should be seen as a business problem to be addressed by business processes - and not by the IT function. "Take access privileges. Discriminating between mandatory access and discretionary access is a business issue: yet often it is the IT administrator who assigns status."

Staff access

Tackling internal risk management issues such as controlling senior staff's previously unchallenged access to critical information and also privileged access for company administrators is difficult: "These are often not properly managed but both are a potential risk to the business," Small avers. "Data leakage happens at all levels [of the corporate hierarchy]. You have to decouple access from status."

An associated thorny issue to beware of is 'entitlement creep', where staff change role within an organisation, but their existing entitlements remain, allowing continued system access to data which is no longer pertinent to their new role. CA's Small says that IT departments could do much to reduce data leakage by shoring-up internal IT security procedures with the practice standards of ISACA's COBIT IT governance standards, as well as those of an ITIL IT service management documentation. "Implementing these tools would go a long way to staunching data leakage," he believes.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them