Arguably an organisations most vital asset is its databases, often containing financial information, customer and employee data and intellectual property. There have been many articles written that examine the risks posed of data being exposed and the potential damage caused.
In addition, external threats have long been recognised with billions of pounds spent strengthening defences to mitigate against them yet there is little acknowledgment of the very real threat from within. The statement ‘don't leave your valuables on show' is a simple principle so why is it often ignored by businesses?
It is proven to be easier to bribe someone on the inside (or even implant them there) to gain access to sensitive data. Leaving this risk aside, how often has someone left your organisation taking company stationary with them? Do you know what else has been taken? Could they have sneaked out with sensitive material? What about a copy of the entire corporate database? Would you even know if they had?
Below are some of the most common techniques individuals will employ to copy sensitive data:
Legitimate access, inappropriate use
Let's be realistic, employees need to have access to
corporate data in the normal course of their duties. Increasingly, this need is
24 hours a day, seven days a week and is not restricted to within the corporate
walls or to company-owned devices. It is this need that is opening up one of
the biggest and growing weak points for businesses as data is seeping out via
unprotected end-points, a significant number of which the company is unaware
exist, or they are simply outside the company's domain, such as private USB sticks or iPods.
To illustrate, an employee in sales may need to legitimately access customer records while on or off site while another employee in the marketing department may need to access the marketing plans for a new product launch. However, there is no viable reason for these different employees and departments to be able to access all of this information and do the same things with it. In many instances, the company may be legally obligated to limit access to information on a need-to-know basis.
Access must be restricted to just the records that are needed to perform the task, with control over which bits of each record can be viewed, combined with limiting what can be done with the record.
It would be prudent to employ a solution that can detect devices trying to connect to the enterprise and sync up with corporate data. Additionally, if there is no reason why they should need to make an electronic copy of these records - be it to a corporate or personal endpoint such as a CD, a USB/Memory stick, an iPod or even a Blackberry - then they should not be able to do so. If there is a valid reason why they need to make a copy then it should be force-encrypted with a solution that does not impede the system, regardless of the device it is stored to, to ensure the integrity of the data is protected once away from the safe corporate environment.
By the same token, if an employee does not need to print a copy of the data then they should not be able to do so and even if they do this should be regulated. An alarm bell should be sounded if someone does print the entire database and a means deployed to ensure that it is not removed from the premises.
Another way to identify if an employee is abusing their access rights is if their usual behaviour alters and they suddenly start accessing a greater number of records then usual for longer, or even shorter, periods of time. This could indicate that they are writing the records down in some format to bypass any security restrictions in place.
In the case of a disgruntled employee determined to cause mischief records could be altered, or even worse deleted, thereby damaging the reliability of the data.
Another danger is if an employee wishes to steal a copy of a database and may attach it to an email and send it out legitimately through the corporate gateway. A savvier employee, worried at leaving a trail, may try to bypass this by uploading the file to an external system, such as Yahoo, Hotmail or a hosted document storage and management solution.
There have been a few instances of people seeking employment to steal data to order or even for an employee persuaded to divulge corporate secrets for financial gain.
Opportunistic access
There are some risks that aren't hi-tech and therefore
harder to detect and even harder to protect against. For example, the business
case for a printed hard copy of sensitive records needs to be strong as an opportunist
may access this and make a photocopy of it, completely undetected.
Another increasingly recognised threat is the mobile employee, justifiably working while travelling; either on the train, in a service station or another location, with someone looking over their shoulder and making a note of material displayed on the screen.
One further, really obvious, risk is writing down and/or sharing passwords. This is a truly naïve practice, with no justification, yet it is still widely abused today.
Illegitimate access
The easiest, yet most inexcusable, way for data to be violated
is by an ex-employee whose access rights have not been timely revoked accessing
the network remotely, perhaps initially just to see if they can, and then tempted
into taking liberties with this oversight.
Another potentially soft target is a portable endpoint; such as, but not limited to, a laptop, blackberry or USB/memory stick, that is misplaced or stolen. Should the device be unprotected then any data stored on it is exposed. Additionally, in the case of a laptop or blackberry, it may prove to provide a back door to the corporate network.
It may seem like a nightmare with so many trusted employees out to steal your most vital asset yet there are ways to mitigate against these risks :
- Restrict access to only those employees who need it and limit what they can see, and what they can do, with the records
- Appropriately monitor employees' behaviour, ideally setting control mechanisms to flag any significant deviations from the norm
- Employ a solution that can detect devices trying to connect to the enterprise and sync up with corporate data and force encrypt information when it is removed, legitimately or illegitimately, from the safe environment of the corporate network
- Do not make unnecessary hardcopies of records or leave them unsecured
- Educate the mobile workforce to the risks posed by their activities and the devices that they use
- When an employee leaves, ensure all access rights are revoked immediately
- Never leave a written record of passwords
- Perform background checks on new employees, including contractors and any periodic workers. It may be prudent for these checks to be conducted at regular intervals to ensure that nothing has changed, as is the case for those working with children via the Criminal Records Bureau
- Never leave data security up to the end user. It is imperative that this is controlled and managed centrally which can also reduce TCO (total cost of ownership) as machines don't need to be locked down or brought in to the office to update them
- Corporate governance requires you now to have security and to be able to prove it. Use a solution that includes a central management console; that way every machine is protected and can be tracked