The Data Defenders
Keeping IT loss, risks to a minimum can be accomplished
- By Bill Piwonka
- Jun 01, 2008
Twenty-five million records containing
personal information lost
by the U.K. tax authority.
Personal and confidential health records
found on a USB stick by a university student.
NATO secrets on a USB stick found
in a Stockholm library. Sensitive personal
information lost on a flash drive by the
Iowa Department of Natural Resources.
Fertility treatment information on 3,100
patients lost.
It seems a new story emerges every
day outlining the loss of critical, sensitive
and confidential data from organizations
around the world, all of which could have
been prevented if a few simple security
precautions and policies had been monitored
and enforced. While it seems inconceivable
that many organizations have not
addressed the issue of endpoint data protection—
considering the extreme risk of
financial loss and damage to the corporate
brand—stories like those above confirm
that this is the case. So, how do
organizations minimize the risks of data
loss through removable storage devices
such as USB flash drives, iPods, hard
drives and other equipment?
The Problem
Personal lifestyle IT devices like MP3
players, PDAs, USB sticks and smartphones
are now so common in the workplace
that they rarely warrant a second
glance. What’s more, with their small size
and inconspicuous nature—some USB
sticks are even shaped like bracelets, pens
or watches—it’s virtually impossible to
stop them from coming into the office,
even with a security detail checking each
person entering and leaving the building.
The problem isn’t necessarily the use
of these devices—many of them serve a
legitimate role in the day-to-day operations
of an organization. But when
allowed to operate uncontrolled, they
pose a real threat to the integrity and
security of a corporate network. The risks
associated with these devices can be
grouped into three categories:
Unauthorized removal of network
content. Because it is so easy to transfer
data to these devices and so few companies
have prudent acceptable use policies
that are monitored and enforced, organizations
risk having confidential data
taken off corporate networks.
Transfer of malicious and unwanted
content to networked PCs. When
employees attach one of these devices to
a corporate IT asset, they potentially
expose the entire network to any malware—
viruses, trojans, keystroke loggers,
password crackers—that may be on
the drive.
Exposure of sensitive data carried
outside the organization. Data that is
legitimately carried off-site can be lost or
stolen and subsequently compromised,
potentially resulting in data loss and risk
to the organization.
Once any confidential data has been
leaked, there are serious consequences to
a company and its employees, partners
and customers. According to the
Ponemon Institute, a privacy and information management research firm, data
breaches cost companies an average of
$197 per compromised record in 2007—
an increase from 2006. Lost business
opportunities, including those associated
with customer churn and acquisition, represented
the most significant component
of the cost increase, rising from $98 in
2006 to $128 in 2007—a 30 percent
increase. These figures also account for
the costs associated with the negative
publicity and productivity loss experienced
as companies devote resources to
mitigate data loss damage.
The pain can be personal as well.
Recent research suggests it takes victims
of identity theft an average of two
years—roughly 175 hours of writing emails
and letters or making phone calls—
to clear their credit reports.
But, there is good news. While data
leaks can expose a company to enormous
risks, preventing them is not impossible. A
recent survey by a research group that
monitored 100,000 hours of user activity
and identified the source for all leaks concluded
that every incident could have been
prevented if existing policies had been
implemented, monitored and enforced.
The Solution
A company may have the world’s most
trustworthy employees, but this won’t
change the fact that employees are ultimately
responsible for 50 to 70 percent of
a typical organization’s data leaks, according
to Forrester Research. Further compounding
the risk of an internal leak is the
extensive use of contractors and consultants—
in one recent analysis, 72 percent
of companies surveyed reported that their
organization employs temporary workers
or contractors who require access to sensitive
information and systems.
It is vital to recognize that trust is not
an option when it comes to data security.
The fact that the vast majority of employees
are honest and would not deliberately
put an organization’s or customer’s data at
risk doesn’t change the reality that ignorance,
malfeasance, misconduct and even
intentional action inside the firewall
cause most data loss. Thus, it is incumbent
upon each employee to take the necessary
steps to minimize the risk of data
leaking beyond any walls.
Creating an effective strategy to prevent
data breaches is about striking the
right balance for your organization’s individual
needs. The aim must be to address
the largest areas of risk with the most
effective use of resources and minimal
impact on day-to-day operations.
Implementing Prevention Measures
When it comes to managing removable
media devices, the important fact to
remember is that one size definitely does
not fit all. Different employees will have
different legitimate needs, and even some
employees who normally would not need
to use a particular type of device might
need a temporary exception at some
point. Thus, when implementing safeguards
against data leakage, it’s useful to
follow a simple five-step approach:
Understand the risk. How many
devices come into your workplace? What
types of devices are used most often?
How often do your users connect? Are
some departments more prolific users
than others? Do contractors and temporary
employees play a big role in your
business operations? Do they frequently
use removable devices?
Review the business requirements.
Using a PDA to keep track of appointments
and contacts is an efficient way to
conduct business. Making the same claim
about connecting an iPod to the network
and downloading music may prove to be
more difficult. The marketing department
probably needs to be able to use scanners,
digital cameras and other devices.
Salespeople most likely need to be able to
access slide presentations from USB
thumb drives. Senior management may
need access to all of these things. As
mentioned before, these devices do play
an important role in daily business life—
it’s uncontrolled use that causes many of
the problems. Determine legitimate business
requirements by department or individual,
and address all operational risks
outside of these.
Create a removable device policy
and communicate. Acceptable usage policies
can provide directions on employee
use of portable media devices and are an
important part of the solution, but they are
unlikely to provide detailed, enforceable
guidelines. Employee awareness of a policy’s
existence through effective internal
communication is a crucial component of
any security measure. Consider the components
of the policy—which, if any, removable
storage devices are permitted? Are certain classes of employees allowed to use
a particular type of device, while other
employees are not? Will you require
encryption for any files transferred? Will
you monitor and enforce policies surrounding
the content of the files that are
transferred? How will you address onetime
needs, when a legitimate business
need may fall outside of your policy?
Enforce the policy. If there is no
enforcement of written policy, be assured
breaches will occur. Good intentions are
not enough—you need technology to
help enforce your policies and security
officers can’t check everyone all the time.
You need to complement acceptable
usage policies with a software solution
that enables IT staff to create, monitor
and enforce policies.
Educate, review and repeat. Don’t
leave staff in the dark when implementing
new security measures. Communicate
whether software has been deployed to
further reinforce the established acceptable
usage policy. When employees are
blocked from certain tasks—such as
using a USB thumb drive to copy a file
onto the network—take the opportunity
to educate workers on the policy and the
reasons for its existence.
In addition, proactive monitoring of
device connections will identify recurring
trends in device usage while ensuring
usage policies are aligned with the
current perceived threat level. By paying
attention, you may find risks in areas
where you thought none existed.
Making A Choice
Obviously, policies alone won’t secure
your data—you need to implement the
right technology as well. And while there
are a number of solutions on the market
today, consider the following items when
making the choice for your organization:
• Is the technology easy to install, implement
and manage on an ongoing basis?
• Is the solution unobtrusive to the end
user?
• Does the solution offer the ability to
enforce encryption?
• Is temporary access granted when
business needs warrant it?
• Can the solution enforce policies
based on file type, keyword—confidential,
regular expression—strings
that look like Social Security numbers
or a file name?
• Are reports easily generated, and do
they convey the important information
you need to manage your policies?
Despite the enormous risks to your
organization due to the proliferation of
removable storage devices, adopting a nouse
policy is impractical. So rather than
trying to ban these devices, smart companies
are implementing software to easily
control their use and protect data. Given
the costs of a data breach, the question is
not, “Should we implement a solution?”
but rather, “Can we afford not to?”
This article originally appeared in the issue of .