In today's business environment, information needs to be mobile. This need for mobility has brought with it a host of security risks with data leakage topping the list. Enterprises are in the midst of a data leakage epidemic. Since 2005, more than 230 million records have been lost or stolen, according to the Privacy Rights Clearinghouse, many of them stored on portable devices.1
The consequences of accidental and deliberate data leaks can be severe. Theft of intellectual property, trade secrets, proprietary information including confidential business plans and road maps, can result in the potential loss of sales or first mover advantage. In addition, loss of sensitive customer or employee data can result in legal liability, potential criminal charges when data leaks violate state or federal laws, as well as penalties associated with failure to comply with industry and federal regulations. Data breach incidents cost an average of $6.3 million, according to a study conducted by The Ponemon Institute.2 Furthermore, the irreparable damage to an organization's public image can be devastating.
A common incidence of data leakage occurs when employees take work home with them on a laptop or a flash drive, only to lose the device or have it stolen. Most IT managers have taken steps to harden their networks against external attacks using intrusion detection systems, packet inspectors, firewalls and malware scanners. When it comes to securing portable media players, USB flash drives, memory cards, optical discs, external hard drives and other portable storage devices, most IT managers don't know where to start.
To avoid becoming the next headline, enterprises must plug the leaks. Where they are most vulnerable are the
endpoints of the network, and these are everywhere. The challenge facing IT managers is to secure the endpoints without restricting employees' productivity.
There are eight practices that can mitigate the risks of data leakage from endpoints for any organization. These are:
- Inventory Hardware
- Identify Sensitive Data
- Establish Hardware Policies
- Establish Data Usage Rules
- Implement a Centralized Management System
- Start at the Top
- Train Employees
- Test the IT Environment
1. Inventory Hardware
To secure the endpoints, IT managers must know what devices the organization uses. The first step is to audit all hardware and storage devices used in the organization. This can be done manually or organizations can employ software to automate the process by scanning each desktop and laptop on the network to identify every device that's ever been connected to it .This information is necessary for setting policies regarding the kinds of devices employees will be allowed to use and the types of protections they require.1
2. Identify Sensitive Data
As with hardware, organizations need to know what data they have to lose. A thorough inventory of the data can identify the files containing the most sensitive information - company financial, human resources records, intellectual
property, and customer lists for example.
Software solutions are available to automate this process. These solutions scan files on network drives and client machines, checking for specified keywords or easily identified strings that match a specific pattern of letters and numbers, such as Social Security numbers or credit card numbers. Other software may offer real-time scanning of documents as they are opened, or integrate with content filters used to scan outgoing email for leaks of proprietary information.
3. Establish Hardware Policies
Organizations need to determine what types of hardware they will accept and what kinds of data need to be restricted. Banning mobile devices outright can hamper productivity and implicitly compel employees to engage in "guerilla" storage tactics using their own portable devices.
Organizations first need to decide what devices should be included under acceptable use policies. A good place to start is requiring sensitive mobile data to be stored only on encrypted devices. Hardware policies must also determine what kinds of smart phones and portable storage devices are allowed to access the network. For instance, the organization may need to restrict all portable MP3 players and digital cameras and allow only company-issued encrypted USB flash drives.
There is rarely a one-size-fits-all solution. Policies will often vary depending on the roles and responsibilities of each individual. An organization will likely have different policies for its CEO and upper management than its administrative staff.
4. Establish Data Usage Rules
The next step is to create rules for what kinds of data files can be portable and how they are treated. Some files may be read only, some may be encrypted and others may be off limits for all but authorized personnel. C-level executives will have different data mobility needs and require different policies than the organization's administrative staff, engineers or outbound sales force.
Data usage policies must be comprehensive enough to protect the organization, but not so restrictive that they impede employee productivity.
5. Implement a Centralized Management System
Establishing corporate policies without any way to enforce the rules or detect violations is futile, as policies alone won't secure the endpoints. Organizations need a means to make policies compulsory. According to the Computer Security Institute, half of all organizations reported theft of a laptop or other mobile device and nearly one in five reported a theft of customer or employee data, yet only 27 percent use endpoint security software.3
Network-based data loss prevention systems (DLP) can detect activity at the port level on every machine connected to the LAN, as well as Bluetooth, infrared and WiFi connections. These systems can log all attempts to copy or manipulate sensitive files, proactively alert employees who are attempting to read or modify confidential data, and enforce policies, such as only allowing sensitive data to be copied to encrypted flash drives.
Some DLP systems will allow an organization to track offline usage as well, comparing mobile data files against the originals to determine if they have been opened, altered or copied to another device.
Endpoint device management software allows corporate IT departments to centrally manage encrypted USB flash drives both inside and outside the corporate environment. This software protects corporate data by coordinating the complete lifecycle of company-issued USB drives from initial user-deployment to drive termination. Central management software allows for password recovery and renewal, tracking and monitoring activity beyond the corporate network, central back-up and restore, enforcement of company policy and remote termination of lost or stolen drives. With this software, data on lost drives is not lost and administrators can provision a replacement with user files backed up on the network.
6. Start at the Top
Implementing a comprehensive endpoint security solution across a large organization doesn't happen overnight. It can take months and even years, but data needs protection today. Organizations must establish a security hierarchy based on a thorough risk analysis. The top is the best place to start. First, lock down C-level executives, business unit directors and personnel who travel with sensitive data before moving on to the rest of the organization.
7. Train Employees
The most vulnerable element in any organization is its people. Only 18 percent of data breaches are caused by some type of malicious intent by an insider, hacker, or code.4 Inadvertent employee behavior and broken business processes are responsible for the majority of data loss incidents and thus preventable. The best defense against data leaks is an educated workforce. Employees should be schooled not only on how to avoid data loss and report those that happen, but also on the compliance framework their organization may operate in, such as HIPAA, GLBA or SOX.
8. Test the IT Environment
Leaky data is like a leaky roof; you won't know you have one until it rains. Likewise, organizations won't know if their endpoint security system is working until they test it. A third-party firm can probe for weaknesses that an IT staff may not have considered. For example, an organization can install a virtually bullet-proof DLP system, yet still be vulnerable because someone left the door to the data center unlocked, allowing a thief to walk away with the backup discs.
Mobile data is not going away. Data leaks will only get worse and more costly, both in real dollars as well as damage to an enterprise's intellectual property and reputation.
Organizations must know what devices to use and what data to protect. They also need to develop policies that fit each role in the organization and implement tools that allow the organization to audit and enforce the policies. Only a top-down effort involving intelligent device management, data monitoring and centralized policy enforcement will plug the leaks, while allowing organizations to operate securely at the rapid speed of business.
1. "A Chronology of Data Breaches," Privacy Rights Clearinghouse, http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP.
2. "2007 Annual Study: The Cost of a Data Breach," The Ponemon Institute.
3. CSI 2007 Computer Crime and Security Survey, Computer Security Institute.
4. "2007 Annual Study: The Cost of a Data Breach," The Ponemon Institute.
Dror Todress is Director of Marketing, Enterprise Division at SanDisk.