In 2013, a U.S. military judge sentenced PFC Bradley Manning to 35 years in prison. His crime, as everyone knows, was leaking confidential information. Manning illegally downloaded data to a CD and gave it to Wikileaks. The intentional release of sensitive information is just one way that data loss occurs within an organization. Sometimes it is unintentional or accidental. Sometimes it is due to plain ole carelessness. Data loss prevention should be a major part of any company’s security strategy.
Every organization retains confidential data that must be protected. Data loss can result in huge fines from government regulators. It also opens companies to potential lawsuits. A data breach can mean a big hit to the reputation of any business. Guarding personal data is paramount. The industry term for this is personally identifiable information (PII). Such data might include:
According to an article at DigitalGuardian.com, “Failure to secure PII leaves your company open to highly targeted social engineering attacks, heavy regulatory fines, and loss of customer trust and loyalty.” The writer Nate Lord goes on to give a 10-step strategy for securing personal data. He advises to identify all your company’s PII and where it is stored, create an acceptable usage policy, and provide education and procedural guidance for employees.
There are many scenarios where data leakage can occur. Perhaps the most obvious is the use of email. Anyone who has watched political news over the past few years knows how important following email policies can be. One of the most common ways people subject confidential data to loss or leakage is by sending it to external email addresses. It may seem innocent to send work to your private email so that you can work on it from home, but it’s not advisable. It could cost you. Best to keep work on your work email account.
One of the most common ways people subject confidential data to loss or leakage is by sending it to external email addresses.
How about portable storage devices? Manning used a CD. Edward Snowden captured top secret information on a USB device. Some companies disable USB on their computers. At the very least, the use of portable storage for company data should be addressed in policy.
Some people find cloud storage solutions like Dropbox or Google Docs to be very helpful and convenient. But they should be used with caution. It doesn’t make sense to put PII or other sensitive material on external cloud platforms. Any such use should only be done with approval from management and IT security personnel.
Personal data is not the only sensitive information to be protected. Many employees and contractors are asked to sign something called a Non-Disclosure Agreement (NDA). Companies want to keep their secret information secret. And the scope of this material can be broad. Internal policies are another way that workers are held to account for their handling of information.
Sometimes the greatest asset for a business is its knowledge. Whether it’s Kentucky Fried Chicken’s secret recipe or the latest data center technology methods, a company’s know-how often sets them apart from competitors in the market. Release of proprietary information — industrial secrets — can be damaging. Internal design documents and communication shouldn’t be discussed or distributed outside the halls of the workplace.
Financial data is also closely guarded. Some information may be required for public disclosure, especially in public-held companies. But the rest is no one else’s business. And of course, account information at financial institutions is highly confidential.
In recent years data security experts have placed a greater focus on data loss prevention. Companies that sell security products have developed DLP tools and techniques to address the issue. As part of the strategy to prevent data loss, it helps to recognize that data exists in three states:
Another concept is the endpoint. DigitalGuardian offers some guidance:
“Endpoint security is the process of securing the various endpoints on a network, often defined as end-user devices such as mobile devices, laptops, and desktop PCs, although hardware such as servers in a data center are also considered endpoints.”
We live in a mobile computing world these days, and these end devices are vulnerable. A leak of data is no longer a matter for internal operations. Any remote worker using a hotspot in a cafe can also be a target.
So how can sensitive data be protected from loss or leakage? DLP attempts to block all those ways that data can escape. There are the standard tools such as intrusion detection software (IDS) and anti-virus protection. But there is also software that can inspect email or other data in transit and mask sensitive information. For instance, if a social security number is recognized, it might be changed to xxx-xx-xxxx.
There is no single answer to the risk of data loss for your organization. Rather, it’s best to take a multi-pronged approach. That means developing sound information control policies, an employee education curriculum, and legal and personal accountability. It means doubling down on enforcement of acceptable use practices. And it means ensuring you have the right software solutions to handle the problem. And even with all that, there are no guarantees. Did you hear about the former government official who walked out of the National Archives with classified material stuffed down his pants?
You use web forms all the time. All across the internet, you are called upon to give certain information about yourself in order to access a site, use an application, or purchase a product. And the truth is most of us have become more open to these kinds of interactions as we have become immersed […]
IT systems go down for a lot of reasons. Some downtime causes are obvious, while others take some time to understand. And still others are just plain comical. In this article we’ll have a look at different approaches to assigning blame for outages, and we’ll offer a short list of our own. The concept of downtime applies […]
Imagine that a smooth operator convinces Barney Fife — the famous sheriff’s deputy on TV — to unlock a Mayberry jail cell. Barney has the keys. He has the authority. He wants to do the right thing, but he’s easily confused and manipulated. Your web browser has authority too. It can do a lot of […]
When you go to a store to look around, the clerk may ask if they can help you. No, you’re just browsing, you say. You’re not necessarily in search of anything in particular. We do the same thing online. Web browsing is a way to satisfy our curiosity, to delve into areas that interest us, […]