The Great Data Exodus

21/06/2007 Written by Nick Lowe

 The lat­est tech­nolo­gies and gad­gets make it incred­i­bly easy for your data to be stolen from right under your nose, unless you take steps to pro­tect it.

Much of our per­sonal and pro­fes­sional lives nowa­days are heav­ily influ­enced by tech­nol­ogy. Everything’s going dig­i­tal, from the cas­sette player to the pic­ture frame. And whether a tech­nol­ogy is designed to help us com­mu­ni­cate, to take pic­tures, or to lis­ten to music or watch a movie, every gad­get that we carry has the abil­ity to store large amounts of data in dig­i­tal form.

The abil­ity to move mas­sive amounts of infor­ma­tion between tra­di­tional PCs and portable stor­age devices means that it’s now incred­i­bly easy for con­fi­den­tial data to be taken from com­pa­nies with­out knowl­edge or consent.

Inter­est­ingly, the per­pe­tra­tors of such crimes are rarely stereo­typ­i­cal hack­ers, attack­ing sys­tems via the inter­net from their mafia head­quar­ters or their stu­dent dorms. Instead, the data thieves are fre­quently much closer to home. Unescorted vis­i­tors, for exam­ple, or tem­po­rary staff who have joined the orga­ni­za­tion purely to copy data and hand it over to a com­peti­tor. Or, as is becom­ing increas­ingly com­mon, unhappy staff who are about to resign but think it’s a good idea to first take copies of any­thing which might be use­ful in their new job. And lastly, inno­cent employ­ees who sim­ply don’t fol­low secu­rity pol­icy, copy work files to take home and lose the unpro­tected stor­age device.

In the days of Win­dows 1.0, Bill Gates famously said that no one would ever need more than 640 KB of RAM on their PCs. Today, you can buy a 16 giga­byte USB stick that fits on a key ring. Allow­ing a gen­er­ous 10 KB for a page of text, and assum­ing 5 reams of 500 sheets com­prise a box of printer paper, we arrive at an inter­est­ing mod­ern take on Bill’s orig­i­nal quote. You can now carry 640 boxes’ worth of infor­ma­tion in your pocket along­side your keys to the office. Plenty of capac­ity for some­one to walk off with your sales data­base or the source code for your next prod­uct. As to whether any­one will ever need to carry even more, only time will tell.

Unguarded USB ports on today’s PCs are per­haps the biggest threat to cor­po­rate IT secu­rity. As well as the afore­men­tioned USB pen drive, an MP3 player, smart­phone or PDA is a fun­da­men­tal tool of the data thief. Not only can such devices store tens of giga­bytes of data, they can all be quickly con­nected to any PC via a USB cable with­out the need for any dri­ver soft­ware to be installed (and there­fore, with­out the need for the thief to be logged in as an admin­is­tra­tor). A few drags and drops, and the deed is done. Typ­i­cally in just a few sec­onds. Where the amount of data to be stolen is beyond the capac­ity of an iPod or PDA, exter­nal USB dri­ves com­pris­ing half a ter­abyte of stor­age are now avail­able on the high street for less than a hun­dred pounds.

USB devices aren’t the only way in which infor­ma­tion can be stolen elec­tron­i­cally, of course. Most mobile phones nowa­days include a cam­era, which can be used to quickly make an elec­tronic copy of a printed page. Pocket OCR wands and portable scan­ners offer sim­i­lar facil­i­ties to the oppor­tunis­tic data thief who stum­bles across a con­fi­den­tial printed doc­u­ment. Or he could sim­ply make a pho­to­copy of a doc­u­ment and put it in the post. How­ever, using any of these meth­ods to steal large quan­ti­ties of data is sim­ply not prac­ti­cal because of the time required. Con­trol­ling the use of USB devices is of far greater importance.

While the good old dis­grun­tled employee is a prime sus­pect in many data thefts, actions by for­mer employ­ees should also be con­sid­ered in your data pro­tec­tion plans. Do all of your users’ accounts and pass­words get deleted as soon as the per­son leaves the com­pany or changes depart­ment? Fail­ure to delete such infor­ma­tion isn’t just dan­ger­ous, but might also mean that you fall foul of the Data Pro­tec­tion Act by stor­ing per­sonal data that you have no need to retain.

To reduce the prob­lem of data leak­age in your com­pany there are three par­tic­u­larly effec­tive strate­gies. First, ensure that you have a pol­icy which clearly states who is allowed to take data off-​site, and how the data must be pro­tected when it’s away from your premises. Sec­ond, ensure that data doesn’t leave the build­ing with­out your knowl­edge. Finally, ensure that data which needs to be removed from the build­ing is pro­tected so that it can’t fall into the wrong hands.

To con­trol which data files leave your premises in the first place, set up user accounts on servers and work­sta­tions so that employ­ees can’t access infor­ma­tion which they have no need to see. Those in sales and mar­ket­ing, for exam­ple, prob­a­bly don’t need access to the prod­uct devel­op­ment department’s files on the server, so set the access per­mis­sions accord­ingly. Over-​use of rules and reg­u­la­tions can lead to low morale, how­ever, if the work­force feels that it clearly can’t be trusted. Beware of becom­ing seen as Big Brother. It won’t drive the data thieves away but sim­ply make them more determined.

It’s also well worth invest­ing in a port con­trol prod­uct, which can auto­mat­i­cally block USB devices from being con­nected to your sys­tems with­out autho­riza­tion. There are var­i­ous such prod­ucts avail­able, such as Pointsec Pro­tec­tor by Check Point Soft­ware. This also includes trans­par­ent encryp­tion, so that infor­ma­tion copied to USB devices is auto­mat­i­cally ren­dered inac­ces­si­ble to thieves.

Although you will nor­mally want to ensure that none of your con­fi­den­tial files leaves your premises, this won’t always be the case. Some­times, allow­ing staff to take files away is nec­es­sary and ben­e­fi­cial. Sales per­son­nel need access to prod­uct infor­ma­tion when they’re away from the office, and mar­ket­ing peo­ple often pre­pare Pow­er­Point pre­sen­ta­tions for deliv­ery at exter­nal con­fer­ences and sem­i­nars. Staff need to take work home at the week­end if they’re par­tic­u­larly busy, and pre­vent­ing them from doing so will deprive the com­pany of some use­ful effort (not to men­tion all that unpaid overtime).

It’s absolutely vital that you pro­tect infor­ma­tion which is taken off the premises. If a sales manager’s lap­top is stolen from the boot of her car, you need to be sure that the cus­tomer infor­ma­tion on its hard disk can’t be accessed by the thief. If your mar­ket­ing manager’s PDA goes miss­ing while he’s at a con­fer­ence, can you be con­fi­dent that the doc­u­ment con­tain­ing details of next year’s prod­uct launches won’t be acces­si­ble to who­ever buys the stolen hard­ware? The solu­tion to this prob­lem is encrypt­ing data. There are many prod­ucts on the mar­ket, but ensure that the solu­tion you choose is proven, trans­par­ent and auto­matic, elim­i­nat­ing user inter­ac­tion and cre­at­ing a fully enforce­able solu­tion that holds up to the most strin­gent com­pli­ance require­ments. Deploy­ing an encryp­tion solu­tion will improve the level of trust and loy­alty of clients and employ­ees who rec­og­nize that every effort is being made to pro­tect their sen­si­tive data and ensure that a lost or stolen device never results in a data breach.


Share this content: