Friday, March 23, 2007

Data Leakage: How can you prevent it?

Would it surprise you if I told you that far more than 50% of all security breaches stem from internal sources? It's true. At the end of the day, your employees pose far greater risks to your security than do any external risks.

If you are anything like most of the business owners I speak to, you're thinking, "Not MY employees. I can trust my team." Of course you can trust your team - to a point. But the fact of the matter is that security holes and breaches occur primarily due to lapses in good security practices by company employees.

Sometimes these are malicious acts, but most often, they are accidental. They come from the receptionist who leaves his password on a sticky-note under his mouse pad ... or the software engineer who leaves her laptop in the back of her unlocked car while she runs into the supermarket ... or the executive who emails files with sensitive information to her home email address so she can be productive over the weekend.

Now ask yourself again - could any of these situations happen to you?

"Data leakage" is the industry term that is used to describe these types of breaches. While you and your employees may not realize that you're doing anything dangerous, your company's and clients' data is exposed. As a business owner, you have a responsibility under law (and general ethical behavior) to adequately protect your sensitive data. So how can you prevent data leakage?

The most important aspect to preventing data leakage is training your employees regarding behaviors that could lead to leaks. Proper training will help employees to:
  • Understand how leaks occur
  • Internalize how those leaks create risk for the company, their clients and themselves
  • Accept responsibility for preventing leaks from their own behavior and helping other employees to avoid risky behavior as well
  • Alert appropriate management should they identify potential data leaks, whether malicious or accidental

This training is necessary for ALL employees - not just your IT team. Whether they work on the loading docks, in a cube or in the corner office, each of your employees can help protect the company from data leakage.

While training is the most important aspect of preventing data leakage, there are technology solutions that can help:

  • Email Controls. These solutions include limiting outgoing attachment sizes, lexicons that analyze outgoing email for confidential information and email encryption tools. The point is, most email traffic is inherently insecure. So the first step is to limit the sending of confidential data to a bare minimum, and second, to protect that data as it is sent.
  • Device Controls. Often times, malicious data leakage occurs when an employee downloads confidential data to an easily transportable device - like a USB key drive. Your IT administrators can regulate use of these devices to prevent such incidents from occurring.
  • Data Controls. Most importantly, your confidential data should only be accessible by employees who MUST have access to it - and then they should only have access to the specific data that they need. Too often, we discover databases and systems where people throughout the organization are given carte blanche permissions to access anything and everything. You should be regularly reviewing who has access to what resources and whether they still require such access.

Policies & Procedures
Finally, you need to establish a documented set of security policies and procedures. This should be a comprehensive collection of materials that establish the do's and don't's for how your employees treat confidential materials. Documenting these policies and making them available to your employees accomplishes several key goals:

  • You underscore to your employees how critical security issues are to the business and set a consistent expectation for employee behavior
  • You provide an easily accessible resource should an employee have a question - this is especially important following the awareness training described above
  • You create a document trail that protects you from some liability in the event that an incident occurs and provides a basis for employee discipline when necessary

Data leakage has injured many, many companies - from Fortune 500 enterprises to 5-person financial advisers and physician practices. It's not expensive to protect yourself - it just requires a commitment on your part, some hard work and, for many mid-size companies, the assistance of a knowledgeable advisor. If you feel your company may be at risk, send me an email and we can talk further about steps you can take to protect yourself.


No comments: