Guarding Against Data Loss

In 2013, a U.S. military judge sentenced PFC Bradley Manning to 35 years in prison. His crime, as everyone knows, was leaking confidential information. Manning illegally downloaded data to a CD and gave it to Wikileaks. The intentional release of sensitive information is just one way that data loss occurs within an organization. Sometimes it is unintentional or accidental. Sometimes it is due to plain ole carelessness. Data loss prevention should be a major part of any company’s security strategy.

Protecting Personal Data

Every organization retains confidential data that must be protected. Data loss can result in huge fines from government regulators. It also opens companies to potential lawsuits. A data breach can mean a big hit to the reputation of any business. Guarding personal data is paramount. The industry term for this is personally identifiable information (PII). Such data might include:

• Name
• Date of birth
• Address
• Phone number
• Age
• Race
• Gender
• Credit card information
• Bank account number
• Medical records

According to an article at DigitalGuardian.com, “Failure to secure PII leaves your company open to highly targeted social engineering attacks, heavy regulatory fines, and loss of customer trust and loyalty.” The writer Nate Lord goes on to give a 10-step strategy for securing personal data. He advises to identify all your company’s PII and where it is stored, create an acceptable usage policy, and provide education and procedural guidance for employees.

How Data Loss Happens

There are many scenarios where data leakage can occur. Perhaps the most obvious is the use of email. Anyone who has watched political news over the past few years knows how important following email policies can be. One of the most common ways people subject confidential data to loss or leakage is by sending it to external email addresses. It may seem innocent to send work to your private email so that you can work on it from home, but it’s not advisable. It could cost you. Best to keep work on your work email account.

One of the most common ways people subject confidential data to loss or leakage is by sending it to external email addresses.

How about portable storage devices? Manning used a CD. Edward Snowden captured top secret information on a USB device. Some companies disable USB on their computers. At the very least, the use of portable storage for company data should be addressed in policy.

Some people find cloud storage solutions like Dropbox or Google Docs to be very helpful and convenient. But they should be used with caution. It doesn’t make sense to put PII or other sensitive material on external cloud platforms. Any such use should only be done with approval from management and IT security personnel.

Other Sensitive Data

Personal data is not the only sensitive information to be protected. Many employees and contractors are asked to sign something called a Non-Disclosure Agreement (NDA). Companies want to keep their secret information secret. And the scope of this material can be broad. Internal policies are another way that workers are held to account for their handling of information.

Sometimes the greatest asset for a business is its knowledge. Whether it’s Kentucky Fried Chicken’s secret recipe or the latest data center technology methods, a company’s know-how often sets them apart from competitors in the market. Release of proprietary information — industrial secrets — can be damaging. Internal design documents and communication shouldn’t be discussed or distributed outside the halls of the workplace.

Financial data is also closely guarded. Some information may be required for public disclosure, especially in public-held companies. But the rest is no one else’s business. And of course, account information at financial institutions is highly confidential.

Data Loss Prevention (DLP)

In recent years data security experts have placed a greater focus on data loss prevention. Companies that sell security products have developed DLP tools and techniques to address the issue. As part of the strategy to prevent data loss, it helps to recognize that data exists in three states:

• Data in use
• Data in storage
• Data in transit

Another concept is the endpoint. DigitalGuardian offers some guidance:

“Endpoint security is the process of securing the various endpoints on a network, often defined as end-user devices such as mobile devices, laptops, and desktop PCs, although hardware such as servers in a data center are also considered endpoints.”

We live in a mobile computing world these days, and these end devices are vulnerable. A leak of data is no longer a matter for internal operations. Any remote worker using a hotspot in a cafe can also be a target.

So how can sensitive data be protected from loss or leakage? DLP attempts to block all those ways that data can escape. There are the standard tools such as intrusion detection software (IDS) and anti-virus protection. But there is also software that can inspect email or other data in transit and mask sensitive information. For instance, if a social security number is recognized, it might be changed to xxx-xx-xxxx.

Conclusion

There is no single answer to the risk of data loss for your organization. Rather, it’s best to take a multi-pronged approach. That means developing sound information control policies, an employee education curriculum, and legal and personal accountability. It means doubling down on enforcement of acceptable use practices. And it means ensuring you have the right software solutions to handle the problem. And even with all that, there are no guarantees. Did you hear about the former government official who walked out of the National Archives with classified material stuffed down his pants?