Since the introduction of data protection laws it has been
mandatory for all UK businesses to protect sensitive data, making
it imperative they evaluate potential threats and prevent
accidental data loss. The repercussions of a confidential data
breach
could affect a business' customer loyalty, reputation and
competitive advantage. It is the responsibility of company
executives and their IT departments to ensure that company data,
wherever it resides,
remains within the company. To do this, executives need to
understand how internal data breaches occur and support IT
administrators in efforts to lock networks.
How internal data breaches
happen
There are numerous outlets for data on the modern PC, including
USB and Firewire ports, CD and DVD recorders and even built-in
storage media slots. Combined with the fact that storage space on
portable devices has rapidly increased, business professionals can
now use personal storage devices, such as USB memory sticks, iPods,
digital cameras and smart phones, to remove or copy sensitive
information either for malicious intent or personal gain.
This type of method is also known as
"podslurping",
whereby an employee downloads a large amount of important data to
their iPod or MP3 device. The USB port can extract data at high
speed in a variety of ways, including removable hard drives and
media players. This makes the USB port one of the most vulnerable
points of attack for stealing sensitive and confidential data such
as customer records, bank account numbers, patient medical records
and internal account information.
Another growing threat is
"bluesnarfing",
which involves the theft of information from a wireless device
through a Bluetooth connection, often between phones, desktops,
laptops, and PDAs.
How internal data breaches can be
prevented
So how can organisations reduce the risk of employees walking
away with data?
Organisations need to take a proactive approach and prevent
potential breaches while dealing with the challenge that USB
storage devices are heavily relied on by businesses to conveniently
transport and transfer data.
Developing a rigid "no-use" policy could hamper normal business
operation for many employees, such as remote workers. The solution
is a compromise developing strict policies for USB port use on a
user-specific basis, rather than prohibiting the use of all
portable devices.
Through third-party software, IT administrators have the power
to be more granular when setting policies. For example, policies
can be set to allow "read-only" access on available devices for a
specific set of users, while completely allowing (or denying)
access for others. Further, these policies can be applied to both
local and remote users. Businesses should look for software
solutions that can lock all possible avenues of data leakage, and
put permissions and policies in place to control who has access to
which files, where and when.
In addition, it is important IT administrators can report and
track data breaches. Central collection of an audit trail enables
administrators to see all attempts at restricted activities
including: the person involved the type of activity and when and
where the breach was attempted.
The implementation of a
strong and flexible security policy is essential to creating a
healthy balance between organisations and employees. In the end, a
high-quality third party security software solution can provide
rules and permissions that are understandable to both the employee
and those implementing them so that data is prevented from leaving
the office.