July 2016 – Data Leakage, This Time it’s Personal

Almost daily the media shares stories of confidential information being disposed of in park bins, laptops being found in taxis and passwords being published on the internet. While this is undoubtedly concerning, it is often the data loss resulting from employee behaviour that poses a much more extensive threat.

 Historically, data was deemed secure within the physical perimeter of an organisation however technology continues to change the landscape on daily basis. Take, for example, a 4GB key ring sized USB device capable of storing 10,000 word documents. These USB devices make it easier for data to be downloaded and trickle out beyond the perimeter. The changes in technology and internet usage make it a near impossible task for data security to be the responsibility of one or selected members of staff.

Careless Whispers
Data Leakage through hackers exploiting known vulnerabilities is well publicised. Less so is the threat from employees discussing projects on trains or in airport lounges unknowingly providing competitors with confidential information.Deterring the discussion of sensitive information in public is by no means a new idea – the Second World War ‘Loose Lips’ and ‘Careless Talk’ propaganda posters clearly convey the message. Although the threat today may not seem as tangible, consider the implications for a small company who lose a key project after a competitor happens to eavesdrop on a conversation.

Protection, Protection, Protection
Data capture by hackers can occur through employees using unapproved applications on corporate networks. Personal emails are the most common application followed closely by online banking and shopping. These applications pose a risk as they are rarely monitored and non-compliant with company security standards.

The risk from employees occurs where they use laptops or smart devices to access company information. There is the risk that these devices will be left on a train for example.

Whilst access to most company laptops is protected by username and password requirements, all too often smart devices, e.g. iPads or Blackberrys, are unprotected and the information on the device can therefore be accessed easily.

There are a number of steps that can be taken to tackle the issues of data leakage including;

  • Create awareness training that is suitable and applicable to the employees – one size does not always fit all
  • Reinforce training by providing tools that enable security best practice including refresher training, awareness posters, alerts and updates
  • Establish and maintain a culture of security, this includes everyone taking responsibility for security
  • Ensure security policies are appropriate, communicated and enforced – keep them simple and universally comprehensible
  • Continuously evaluate the risk to maintain an understanding of the threats
  • Enforce encryption on mobile devices and only authorise use of smart devices if they have password protection
  • Executives and senior management should be seen to demonstrate security best practice – lead by example

There is no magic pill or single solution to data leakage as the threat is more often executed by individuals who may not understand the implications of their actions rather than an employee with malicious intent.

Therefore the challenge is to make the awareness understandable and memorable, resulting in opportunities for leakage to be reduced and an end to media stories of people mislaying laptops or smartphones.