The Great Data Exodus21/06/2007 Written by Nick Lowe
The latest technologies and gadgets make it incredibly easy for your data to be stolen from right under your nose, unless you take steps to protect it.
Much of our personal and professional lives nowadays are heavily influenced by technology. Everything’s going digital, from the cassette player to the picture frame. And whether a technology is designed to help us communicate, to take pictures, or to listen to music or watch a movie, every gadget that we carry has the ability to store large amounts of data in digital form.The ability to move massive amounts of information between traditional PCs and portable storage devices means that it’s now incredibly easy for confidential data to be taken from companies without knowledge or consent.
Interestingly, the perpetrators of such crimes are rarely stereotypical hackers, attacking systems via the internet from their mafia headquarters or their student dorms. Instead, the data thieves are frequently much closer to home. Unescorted visitors, for example, or temporary staff who have joined the organization purely to copy data and hand it over to a competitor. Or, as is becoming increasingly common, unhappy staff who are about to resign but think it’s a good idea to first take copies of anything which might be useful in their new job. And lastly, innocent employees who simply don’t follow security policy, copy work files to take home and lose the unprotected storage device.
In the days of Windows 1.0, Bill Gates famously said that no one would ever need more than 640 KB of RAM on their PCs. Today, you can buy a 16 gigabyte USB stick that fits on a key ring. Allowing a generous 10 KB for a page of text, and assuming 5 reams of 500 sheets comprise a box of printer paper, we arrive at an interesting modern take on Bill’s original quote. You can now carry 640 boxes’ worth of information in your pocket alongside your keys to the office. Plenty of capacity for someone to walk off with your sales database or the source code for your next product. As to whether anyone will ever need to carry even more, only time will tell.Unguarded USB ports on today’s PCs are perhaps the biggest threat to corporate IT security. As well as the aforementioned USB pen drive, an MP3 player, smartphone or PDA is a fundamental tool of the data thief. Not only can such devices store tens of gigabytes of data, they can all be quickly connected to any PC via a USB cable without the need for any driver software to be installed (and therefore, without the need for the thief to be logged in as an administrator). A few drags and drops, and the deed is done. Typically in just a few seconds. Where the amount of data to be stolen is beyond the capacity of an iPod or PDA, external USB drives comprising half a terabyte of storage are now available on the high street for less than a hundred pounds.
USB devices aren’t the only way in which information can be stolen electronically, of course. Most mobile phones nowadays include a camera, which can be used to quickly make an electronic copy of a printed page. Pocket OCR wands and portable scanners offer similar facilities to the opportunistic data thief who stumbles across a confidential printed document. Or he could simply make a photocopy of a document and put it in the post. However, using any of these methods to steal large quantities of data is simply not practical because of the time required. Controlling the use of USB devices is of far greater importance.
While the good old disgruntled employee is a prime suspect in many data thefts, actions by former employees should also be considered in your data protection plans. Do all of your users’ accounts and passwords get deleted as soon as the person leaves the company or changes department? Failure to delete such information isn’t just dangerous, but might also mean that you fall foul of the Data Protection Act by storing personal data that you have no need to retain.
To reduce the problem of data leakage in your company there are three particularly effective strategies. First, ensure that you have a policy which clearly states who is allowed to take data off-site, and how the data must be protected when it’s away from your premises. Second, ensure that data doesn’t leave the building without your knowledge. Finally, ensure that data which needs to be removed from the building is protected so that it can’t fall into the wrong hands.
To control which data files leave your premises in the first place, set up user accounts on servers and workstations so that employees can’t access information which they have no need to see. Those in sales and marketing, for example, probably don’t need access to the product development department’s files on the server, so set the access permissions accordingly. Over-use of rules and regulations can lead to low morale, however, if the workforce feels that it clearly can’t be trusted. Beware of becoming seen as Big Brother. It won’t drive the data thieves away but simply make them more determined.
It’s also well worth investing in a port control product, which can automatically block USB devices from being connected to your systems without authorization. There are various such products available, such as Pointsec Protector by Check Point Software. This also includes transparent encryption, so that information copied to USB devices is automatically rendered inaccessible to thieves.
Although you will normally want to ensure that none of your confidential files leaves your premises, this won’t always be the case. Sometimes, allowing staff to take files away is necessary and beneficial. Sales personnel need access to product information when they’re away from the office, and marketing people often prepare PowerPoint presentations for delivery at external conferences and seminars. Staff need to take work home at the weekend if they’re particularly busy, and preventing them from doing so will deprive the company of some useful effort (not to mention all that unpaid overtime).It’s absolutely vital that you protect information which is taken off the premises. If a sales manager’s laptop is stolen from the boot of her car, you need to be sure that the customer information on its hard disk can’t be accessed by the thief. If your marketing manager’s PDA goes missing while he’s at a conference, can you be confident that the document containing details of next year’s product launches won’t be accessible to whoever buys the stolen hardware? The solution to this problem is encrypting data. There are many products on the market, but ensure that the solution you choose is proven, transparent and automatic, eliminating user interaction and creating a fully enforceable solution that holds up to the most stringent compliance requirements. Deploying an encryption solution will improve the level of trust and loyalty of clients and employees who recognize that every effort is being made to protect their sensitive data and ensure that a lost or stolen device never results in a data breach.