I have been to a number of conferences over the recent months and the issue of data leakage and the potential for intellectual property (IP) theft has been discussed at all of them, writes Peter Wenham. It is a hot topic and is one of those areas that is easy to identify, but rather more difficult to control.
The advent of bring-your-own-device (BYOD) projects only serves to increase the richness of the mechanisms available for the unintended export of a company’s IP. While copying files to a floppy disk may well have disappeared along with the Dodo, it has been replaced by the USB memory stick. I have deliberately ignored the use of CD and DVD disks as a USB stick is far easier to use and these days has a far greater capacity (£5.99 will now buy a 16Gbyte USB stick) and one should not forget smartphones which can be connected to a PC using the same USB connection.
Email is another conduit for data loss, either intentionally or by accident. Here IP can be typed into an email or a file attached and sent outside of the company (deliberate) or an email can accidentally be sent to a wrong recipient (eg use of auto complete for a recipient's email address). Another issue is where an employee sends a file to a home email address with the intention of working on the file, say over the week-end. The home PC may be shared and/or may be harbouring malware. Other conduits for data loss include taking IP away in written or printed form, although the modern version of this is an employee using a personal device to access social media and posting company information.
Using a USB device or sending an email with an attachment requires taking data from a company’s system directly and therefore technical controls can be deployed to control or eliminate data leakage. The effectiveness of a selected control will vary depending on how it is configured and a company’s view on the use of technology. An example is that you can turn off USB access on a PC or force the use of BitLocker on a USB memory device via Active Directory policies. There are third-party software products that can be installed on a PC to restrict USB usage to known devices only. Email gateways are available to monitor what is being sent and quarantine messages violating set rules. However these tools are only as good as their configuration and deployment will allow. But none of these techniques are effective where data leakage is occurring, because employees are transcribing data into a medium not under company control (eg use of personal smart ‘phone and social media).
Is there an effective strategy for controlling data leakage/IP theft? Certainly there is no “one size fits all” or silver bullet. Yes, the deployment of technical measures – such a controlling USB usage and/or the monitoring of data content in emails – should be considered in the light of business need and business risk, while the role of awareness, education and training should not be under estimated. But I suggest that one measure that should be addressed is “need to know” or “least privilege”.
Does everyone in a company need to see everything on a network? By identifying user roles (eg HR, accounts, system admin, departmental management, sales etc.) and the data assets that each role needs to access in order to do their job, file access permissions can be identified and technically implemented. By controlling the access to data, you are reducing its availability to be leaked and by tying data access to specific roles, you are improving accountability.
Other measures include ensuring that network privileges are appropriate to a person’s role, eg users should not have local administrator privileges on their PC; and system administrators should have two accounts, one normal user account for day-to-day office tasks and one for administering systems. Ensuring systems and PCs are patched with the latest security fixes and running up-to-date antivirus software is another measure that needs to be included as part of an overall strategy.
Controlling access to the internet is yet another area worth considering, for example a marketing department may need access to social media during the working day, but do all employees need such access? Could access be turned off or restricted to the lunch hour, or should an “internet café” be created for employee use while implementing very tight controls on the company network? Is internet access needed (limited or not) outside of normal working hours? Given that many people these days own a smartphone with a 3G type contract, is tightly controlling internet access such a bad thing?
Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.
Read more about halting IP theft
This was first published in October 2012