Information loss from insiders continues to be one of the major threats to organisations, particularly as regulators are now willing to name, shame and fine where significant breaches have occurred. In this tip, we'll focus not only on how to prevent data loss and combat insider threats, but also how to improve enterprise data management and get a better handle on all of your company's data.
Many organisations are deploying data loss prevention (DLP) technologies to counter the risk of both deliberate and accidental disclosure of information. While this technology does a lot to protect against insider threats, there are some data loss means that are beyond its control. Some organisations miss these key human-element aspects of deploying such technologies, making their data less secure than they believe. By considering these factors, organisations can lay a solid foundation for successful enterprise data management and DLP implementation.
Not knowing what data is where
To limit insider threats and prevent data loss, it is essential to both know and be able to control what data is held where, and who has access to it. This can be a difficult task for unstructured data stored on a variety of devices (e.g. servers, desktops, laptops, smartphones or USB sticks) with little or no access controls. In order to gain control over this unstructured data, take the following steps:
- Undergo a data classification exercise, classifying data based on how sensitive it is, and determine which classifications need to be secured. This requires engagement with business units to understand the characteristics of the data types, and for how long it should be held and maintained. The business access control rules for that data should also be established, so that you can define who should have access to what kinds of information.
- For each type of information, determine what the impact of compromise would be to the organisation. The key questions to ask are: What would be the impact if the information were to be disclosed? What would be the impact if the information were to be lost (as in unavailable)?
- Undertake a risk assessment to determine what security controls are needed to protect the most sensitive data. This assessment should evaluate the likelihood of threats to that data, and hence the risk to the organisation. Based on this information, it should be simple to decide what security controls are needed. Often it will be necessary to have different security controls for different types of information, or to limit where information is processed such that it is not held on vulnerable devices.
- Implement systems to store and protect data that meet the security requirements laid out by the risk assessment. This may be achieved using a variety of measures according to the needs of the organisation and the nature of the existing information systems, but might range from implementing a new system architecture to deploying specific DLP technologies to meet particular security needs.
Implementing a security architecture in this way will result in sensitive information being stored and processed in well-defined elements of the architecture. However, there is still the risk that sensitive data can 'leak' onto other IT systems. An example would be the employee who extracts some financial information onto his or her laptop to work on at home. So an important control is to analyse the data residing on laptops and other devices to ensure information is only being held where it should be.
Not knowing the size of the problem
To determine whether current security controls are effective or need to be strengthened, it's important to have some idea to what extent information is being lost. This is unlikely to be an exact science, but start by considering what should and can be measured. For example, portable devices are a potential threat for information loss, yet many organisations do not know how many mobile devices they have, what IT systems and data those devices can access, to whom they have been allocated, or even if they have been lost or not. There are some ways of mitigating these problems, however:
- Maintain a list of assets and who has responsibility for them.
- Regularly audit and update the asset list.
- Report and log loss of assets such as USB sticks.
These steps make it possible to determine how big the risk is from the loss of portable devices and evaluate and justify the implementation of additional controls if required.
Lack of security awareness training
Problems can arise from users who have not been properly trained on secure usage of portable devices. Even encrypted laptops and USB sticks can cause issues for organizations if they are left unattended and powered on in a public place. The battery life of most laptops would give a thief ample time to try to gain access to one without powering it down.
Users should be trained to lock their screens, requiring a thief to get past the login prompt. This could be easy or difficult, depending on the strength of the password, but it adds another layer of security to the portable device.
Encrypted USB sticks are not a concern when they are powered down and secure, but if a user loses an unlocked, connected stick, thieves should have no problem stealing data from them. Whilst encryption protects against the loss of data on the device, it provides no protection against a user importing malware via the USB stick, an action that could cause serious security problems within an organisation.
Organisations need to guard against users becoming complacent just because encryption has been deployed; they should understand its limitations.
To prevent data loss caused by insiders, enterprise data management security controls should be deployed consistently across all information and all devices. Remember to put processes in place to record the loss of devices and information where possible; this will enable an organisation to evaluate its security controls on an ongoing basis and augment them with additional controls if needed. Security awareness training is important to mitigating insider data loss as well. It may also be necessary to limit the information on some devices if it cannot be adequately protected by the sum of these efforts.
About the author:
Neil O'Connor is a principal consultant at Activity Information Management Ltd (www.activityim.com).