The Data Defenders

Keeping IT loss, risks to a minimum can be accomplished

• By Bill Piwonka
• Jun 01, 2008

Twenty-five million records containing personal information lost by the U.K. tax authority. Personal and confidential health records found on a USB stick by a university student. NATO secrets on a USB stick found in a Stockholm library. Sensitive personal information lost on a flash drive by the Iowa Department of Natural Resources. Fertility treatment information on 3,100 patients lost.

It seems a new story emerges every day outlining the loss of critical, sensitive and confidential data from organizations around the world, all of which could have been prevented if a few simple security precautions and policies had been monitored and enforced. While it seems inconceivable that many organizations have not addressed the issue of endpoint data protection— considering the extreme risk of financial loss and damage to the corporate brand—stories like those above confirm that this is the case. So, how do organizations minimize the risks of data loss through removable storage devices such as USB flash drives, iPods, hard drives and other equipment?

The Problem
Personal lifestyle IT devices like MP3 players, PDAs, USB sticks and smartphones are now so common in the workplace that they rarely warrant a second glance. What’s more, with their small size and inconspicuous nature—some USB sticks are even shaped like bracelets, pens or watches—it’s virtually impossible to stop them from coming into the office, even with a security detail checking each person entering and leaving the building.

The problem isn’t necessarily the use of these devices—many of them serve a legitimate role in the day-to-day operations of an organization. But when allowed to operate uncontrolled, they pose a real threat to the integrity and security of a corporate network. The risks associated with these devices can be grouped into three categories:

Unauthorized removal of network content. Because it is so easy to transfer data to these devices and so few companies have prudent acceptable use policies that are monitored and enforced, organizations risk having confidential data taken off corporate networks.

Transfer of malicious and unwanted content to networked PCs. When employees attach one of these devices to a corporate IT asset, they potentially expose the entire network to any malware— viruses, trojans, keystroke loggers, password crackers—that may be on the drive.

Exposure of sensitive data carried outside the organization. Data that is legitimately carried off-site can be lost or stolen and subsequently compromised, potentially resulting in data loss and risk to the organization.

Once any confidential data has been leaked, there are serious consequences to a company and its employees, partners and customers. According to the Ponemon Institute, a privacy and information management research firm, data breaches cost companies an average of $197 per compromised record in 2007— an increase from 2006. Lost business opportunities, including those associated with customer churn and acquisition, represented the most significant component of the cost increase, rising from $98 in 2006 to $128 in 2007—a 30 percent increase. These figures also account for the costs associated with the negative publicity and productivity loss experienced as companies devote resources to mitigate data loss damage.

The pain can be personal as well. Recent research suggests it takes victims of identity theft an average of two years—roughly 175 hours of writing emails and letters or making phone calls— to clear their credit reports.

But, there is good news. While data leaks can expose a company to enormous risks, preventing them is not impossible. A recent survey by a research group that monitored 100,000 hours of user activity and identified the source for all leaks concluded that every incident could have been prevented if existing policies had been implemented, monitored and enforced.

The Solution
A company may have the world’s most trustworthy employees, but this won’t change the fact that employees are ultimately responsible for 50 to 70 percent of a typical organization’s data leaks, according to Forrester Research. Further compounding the risk of an internal leak is the extensive use of contractors and consultants— in one recent analysis, 72 percent of companies surveyed reported that their organization employs temporary workers or contractors who require access to sensitive information and systems.

It is vital to recognize that trust is not an option when it comes to data security. The fact that the vast majority of employees are honest and would not deliberately put an organization’s or customer’s data at risk doesn’t change the reality that ignorance, malfeasance, misconduct and even intentional action inside the firewall cause most data loss. Thus, it is incumbent upon each employee to take the necessary steps to minimize the risk of data leaking beyond any walls.

Creating an effective strategy to prevent data breaches is about striking the right balance for your organization’s individual needs. The aim must be to address the largest areas of risk with the most effective use of resources and minimal impact on day-to-day operations.

Implementing Prevention Measures
When it comes to managing removable media devices, the important fact to remember is that one size definitely does not fit all. Different employees will have different legitimate needs, and even some employees who normally would not need to use a particular type of device might need a temporary exception at some point. Thus, when implementing safeguards against data leakage, it’s useful to follow a simple five-step approach:

Understand the risk. How many devices come into your workplace? What types of devices are used most often? How often do your users connect? Are some departments more prolific users than others? Do contractors and temporary employees play a big role in your business operations? Do they frequently use removable devices?

Review the business requirements. Using a PDA to keep track of appointments and contacts is an efficient way to conduct business. Making the same claim about connecting an iPod to the network and downloading music may prove to be more difficult. The marketing department probably needs to be able to use scanners, digital cameras and other devices. Salespeople most likely need to be able to access slide presentations from USB thumb drives. Senior management may need access to all of these things. As mentioned before, these devices do play an important role in daily business life— it’s uncontrolled use that causes many of the problems. Determine legitimate business requirements by department or individual, and address all operational risks outside of these.

Create a removable device policy and communicate. Acceptable usage policies can provide directions on employee use of portable media devices and are an important part of the solution, but they are unlikely to provide detailed, enforceable guidelines. Employee awareness of a policy’s existence through effective internal communication is a crucial component of any security measure. Consider the components of the policy—which, if any, removable storage devices are permitted? Are certain classes of employees allowed to use a particular type of device, while other employees are not? Will you require encryption for any files transferred? Will you monitor and enforce policies surrounding the content of the files that are transferred? How will you address onetime needs, when a legitimate business need may fall outside of your policy?

Enforce the policy. If there is no enforcement of written policy, be assured breaches will occur. Good intentions are not enough—you need technology to help enforce your policies and security officers can’t check everyone all the time. You need to complement acceptable usage policies with a software solution that enables IT staff to create, monitor and enforce policies.

Educate, review and repeat. Don’t leave staff in the dark when implementing new security measures. Communicate whether software has been deployed to further reinforce the established acceptable usage policy. When employees are blocked from certain tasks—such as using a USB thumb drive to copy a file onto the network—take the opportunity to educate workers on the policy and the reasons for its existence.

In addition, proactive monitoring of device connections will identify recurring trends in device usage while ensuring usage policies are aligned with the current perceived threat level. By paying attention, you may find risks in areas where you thought none existed.

Making A Choice
Obviously, policies alone won’t secure your data—you need to implement the right technology as well. And while there are a number of solutions on the market today, consider the following items when making the choice for your organization:

• Is the technology easy to install, implement and manage on an ongoing basis?

• Is the solution unobtrusive to the end user?

• Does the solution offer the ability to enforce encryption?

• Is temporary access granted when business needs warrant it?

• Can the solution enforce policies based on file type, keyword—confidential, regular expression—strings that look like Social Security numbers or a file name?

• Are reports easily generated, and do they convey the important information you need to manage your policies?

Despite the enormous risks to your organization due to the proliferation of removable storage devices, adopting a nouse policy is impractical. So rather than trying to ban these devices, smart companies are implementing software to easily control their use and protect data. Given the costs of a data breach, the question is not, “Should we implement a solution?” but rather, “Can we afford not to?”

This article originally appeared in the issue of .