Everything is going or has gone digital, from the cassette player through to the picture frame. Whether a technology is designed to help us communicate, take pictures, listen to music or watch a movie, every one of the gadgets that we carry has the ability to store large amounts of data in a digital form.
The ability to move massive amounts of information between traditional PCs and portable storage devices means that it’s now incredibly easy for confidential data to be taken from companies without their knowledge or consent. Interestingly, the perpetrators of such crimes are rarely stereotypical hackers, attacking systems via the Internet from their ‘Mafia’ headquarters or the student bed-sit.
Instead, the data thieves are frequently much closer to home…
Unescorted visitors, for example, or temporary staff who have joined the organisation purely to copy data and hand it over to a competitor. Or, as is becoming increasingly common, unhappy members of staff who are about to resign but think it’s a good idea to first take copies of anything which might be useful in their new job. Last, there are the innocent employees who simply don’t follow security policy, copy their work files to take home for further amendment and then lose the unprotected storage device.
Increased level of storage
In the days of Windows 1.0, Bill Gates famously said that no-one would ever need more than 640 kb of RAM on their PCs. Today, you can buy a 16 Gb USB stick that fits on a keyring. Allowing a generous 10 kb for a page of text, and assuming that five reams of 500 sheets comprise a box of printer paper, we arrive at an interesting modern take on Bill’s original quote.
In short, you can now carry 640 boxes’ worth of information in your pocket alongside your keys to the office. Plenty of capacity for someone to walk off with your sales database or the source code for your next product. As to whether anyone will ever need to carry even more, only time will tell.
Unguarded USB ports on today’s PCs are perhaps the biggest threat to corporate IT and data security. As well as the USB pen drive, an MP3 player, Smartphone or PDA is a fundamental tool of the data thief. Not only can such devices store tens of gigabytes of data, but they may all be swiftly connected to any PC via a USB cable without the need for any driver software to be installed (and, therefore, without the need for the thief to be logged in as an administrator).
A few drags and drops and the deed is done (typically in a few seconds). Where the amount of data to be stolen is beyond the capacity of an iPod or a PDA, external USB drives comprising half a Terabyte of storage are now available on the High Street for less than GB pound 100.
USB devices aren’t the only way in which information can be stolen electronically, of course. Most of today’s mobile telephones include a camera. These can be used to make a quick electronic copy of a printed page. Pocket Optical Character Recognition wands and portable scanners offer similar facilities for the opportunistic data thief who stumbles across a confidential printed document. Alternatively, the thief could simply make a copy of a document and pop it in the post.
However, using any of these methods to steal large quantities of data is simply not practical because of the time required. Controlling the use of USB devices is of far greater importance.
User accounts and passwords
Actions by former employees should also be considered in your Data Protection plans. Are all of your system users’ accounts and passwords deleted as soon as a person leaves the company, or if they change department? Failure to erase such information isn’t just dangerous it might also mean that you fall foul of the Data Protection Act by storing personal data you have no need to retain.
To reduce the problem of ‘data leakage’ in your company, there are three particularly effective strategies you might adopt. First, ensure that you have a policy in place which clearly states who is allowed to take data off-site, and how that data must be protected when it’s away from your premises. Second, ensure that data doesn’t leave the building without your prior knowledge. Finally, ensure that data which does need to be removed from the building is protected such that it cannot fall into the wrong hands.
To control which data files leave your premises in the first place, set up user accounts on servers and workstations so that employees can’t access information they have no need to see. Those members of staff in the Sales and Marketing Department, for example, probably don’t need access to the Product Development Department’s files on the server so set the access permissions accordingly.
The over-use of rules and regulations can lead to low morale, however, if the workforce is put in a position where it feels it cannot be trusted. Beware of becoming seen as Big Brother. It will not drive the data thieves away, but simply make them more determined.
It’s also well worth investing in a port control product which can automatically block USB devices from being connected to your systems without authorisation. Some of the solutions available also include transparent encryption such that information copied to USB devices is automatically rendered inaccessible to thieves.
Protecting information off-site
If a sales manager’s laptop is stolen from the boot of her car, you need to be sure that the client information stored on its hard disk cannot be accessed by the thief.
If your marketing manager’s PDA goes missing while he’s attending a conference, can you be sure the document containing details of next year’s product launches will not be accessible to whomever buys the stolen hardware? Worth thinking about, isn’t it?
The solution to this problem is encrypting data. There are many products on the market. You must ensure that the system you choose is proven, transparent and automatic, eliminating user interaction and creating a fully-enforceable solution that holds up to the most stringent compliance requirements.
Deploying an encryption solution will improve the level of trust and loyalty of both clients and employees who recognise that every effort is being made to protect their sensitive data and ensure that a lost or stolen device never results in a data breach.