28th Sep 2008
Data Leakage And You
All businesses have sensitive data. While it’s assumed that the employee list, profit margins, and customer purchasing information is sensitive most business forget things like their client lists, vendors and suppliers, and marketing data when considering what is key data.
Never believe that your business data isn’t of interest to people outside your business.
In today’s world of inexpensive thumb and pocket drives, data capable smart phones, iPods (Yes…iPods! An iPod can be set to hard drive mode - where you can use the iPod as a storage device for PCs and Macs.), and large storage web mail the ability to move data from point a-to-b is becoming simpler.
To truly have protection from data leakage, the detection tools have to be placed on the workstations as well as the server and network. Most large organizations have their networks setup to capture unauthorized data collection attempts, however the servers and workstations are typically left alone (or better said, left to the standard security of the operating system).
Businesses assume that the confidential information employees use daily is secure…through various means such as policies, system configurations, etc.
What is forgotten is that people will invariably find workarounds for the ability to have access to the data.
An example I’ll use is from a company I worked for in the past. The finance people started making and using spreadsheets that detailed sales commissions they could share amongst people in and out of the finance group because not everyone interested in sales commission data had access to it (the company’s procedure to get access to financial data was tedious at best). Later on, this spreadsheet got to our largest competitor who used the numbers in a campaign ad to show how we overcharged for the same services.
Another example was a client who wanted us to lock out an employee that was leaving because the reason the person was hired was that the person came to them with their competition’s information and the client did not want that happening to them now that that person was leaving their firm.
What value would you place on the above examples? How does a business prevent data getting away from the business to outsiders?
The hard truth is…securing against data leakage is not easy.
This TechRepublic article lists some simple data leakage protection strategies making it a good place to start: http://articles.techrepublic.com.com/5100-10878_11-5293877.html
Now what happens if you suffer a breach of information? The loss of large volumes of protected information has become a regular headline event, forcing companies to re-issue cards, notify customers, and mitigate loss of goodwill from negative publicity.
With these headlines, there are increasing regulatory compliance for business such as HIPAA in health and benefits, GLBA and Sarbanes-Oxley in finance, and Payment Card Industry DSS standards. Many of these regulations stipulate regular audits, which business can fail if they lack suitable security controls and due-care (processes) standards. These same regulations also have significant penalties in the event of a breach.
Your data is valuable to your business, and its safekeeping is vital to maintaining a good reputation. In addition, much data, such as personal healthcare information and financial information, is protected by federal or state legislation, and its exposure, whether intentional or not, can lead to significant fines.
Luckily, data leakage can be prevented through standard precautions such as strictly enforced authentication and authorization, and tools (beginning at the workstation level).
I found your site on technorati and read a few of your other posts. Keep up the good work. I just added your RSS feed to my Google News Reader. Looking forward to reading more from you down the road!