- How internal data breaches happen
- How internal data breaches can be prevented
Since the introduction of data protection laws it has been mandatory for all UK businesses to protect sensitive data, making it imperative they evaluate potential threats and prevent accidental data loss. The repercussions of a confidential data breach could affect a business' customer loyalty, reputation and competitive advantage. It is the responsibility of company executives and their IT departments to ensure that company data, wherever it resides, remains within the company. To do this, executives need to understand how internal data breaches occur and support IT administrators in efforts to lock networks.
There are numerous outlets for data on the modern PC, including USB and Firewire ports, CD and DVD recorders and even built-in storage media slots. Combined with the fact that storage space on portable devices has rapidly increased, business professionals can now use personal storage devices, such as USB memory sticks, iPods, digital cameras and smart phones, to remove or copy sensitive information either for malicious intent or personal gain.
This type of method is also known as "podslurping", whereby an employee downloads a large amount of important data to their iPod or MP3 device. The USB port can extract data at high speed in a variety of ways, including removable hard drives and media players. This makes the USB port one of the most vulnerable points of attack for stealing sensitive and confidential data such as customer records, bank account numbers, patient medical records and internal account information.
Another growing threat is "bluesnarfing", which involves the theft of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs.
So how can organisations reduce the risk of employees walking away with data?
Organisations need to take a proactive approach and prevent potential breaches while dealing with the challenge that USB storage devices are heavily relied on by businesses to conveniently transport and transfer data.
Developing a rigid "no-use" policy could hamper normal business operation for many employees, such as remote workers. The solution is a compromise developing strict policies for USB port use on a user-specific basis, rather than prohibiting the use of all portable devices.
Through third-party software, IT administrators have the power to be more granular when setting policies. For example, policies can be set to allow "read-only" access on available devices for a specific set of users, while completely allowing (or denying) access for others. Further, these policies can be applied to both local and remote users. Businesses should look for software solutions that can lock all possible avenues of data leakage, and put permissions and policies in place to control who has access to which files, where and when.
In addition, it is important IT administrators can report and track data breaches. Central collection of an audit trail enables administrators to see all attempts at restricted activities including: the person involved the type of activity and when and where the breach was attempted.
The implementation of a strong and flexible security policy is essential to creating a healthy balance between organisations and employees. In the end, a high-quality third party security software solution can provide rules and permissions that are understandable to both the employee and those implementing them so that data is prevented from leaving the office.