Posted by SecExtra on March 06th, 2008

Frank Schlottke at Applied Security kindly provides us with his top ten tips to avoid embarrassing and potentially damaging data loss.

With so many highly-publicised data losses in the last few months the safety of stored information is now even higher on the corporate agenda – no one wants to suffer the same humiliation as HMRC, DVA or Marks and Spencer.  Losing a large amount of company data, whether it is at the hands of a hacker or because someone lost it accidentally, is highly embarrassing.  Worse than that, if that data contains sensitive information such as personal details on customers, legal action and mass media coverage can lead to financial loss and potentially irreversible damage to reputation.

There are just three types of data loss to protect against. The first is externally driven due to the loss of a laptop, file server or mobile device for example. Secondly, there are internally driven threats where a trusted employee deliberately or inadvertently copies data to removable media such as a USB key or MP3 player. And finally, the snooping of files on a network by trusted employees such as a network administrator. 

But there are ten simple rules that, if followed, will dramatically reduce the risks associated with losing important company data. 

1.  Identify the data you need to protect
Not all data is equal so it is important to focus efforts on the data that actually needs protection.  For example, management data may include the latest sales figures, strategy documents and contracts that you wouldn’t want in the hands of your competition. HR will hold personal employee records including bank account details covered by Data Protection legislation, while R&D will have crucial information and intellectual property relating to future products.

2.  Know the threats
Whether it is an employee, partner or total stranger, before it can be prevented from happening it is essential to identify who has the potential to read confidential information.  Also, be aware that while firewalls are there to protect hackers from getting into your network, you must also have a second line of defence in case it is compromised.

3.  Don’t be overconfident
If your attitude leads you to think that you are untouchable, think again.  With so many examples of large operations such as Time Warner and HMRC losing valuable data, be prepared to expect the unexpected and learn from others’ mistakes.

4.  Proactively identify data channels and how to best protect them
Most sensitive data such as personnel records, salary files and strategic planning documents originate from an individual’s PC or laptop and are stored on local hard disks, file servers, USB drives and so on.  They may also be sent via email to a customer, colleague or partner. With so many different possible routes that the information may take it is extremely difficult to ensure that it is secure at all times.  It is far easier and more efficient to protect the data itself through encryption rather than through the device or channel.

5.  Have a clearly defined central policy management
Think carefully about who has access to data.  This may be based on seniority or by different departments within the organisation.  Grant access rights on a ‘need-to-know’ basis, making sure that even IT administrators can only see the content of files that they are intended to see.  And don’t forget that access rights may need to be taken away if an employee leaves the company or changes roles.

6.  Consider the ‘human factor’
Security measures should not be complicated to use and the impact on the way people work should be minimal.  The more complicated the solution, the more room there is for human error and it certainly shouldn’t take a cryptography expert to look after security.  So, it is important when choosing a vendor that each feature of a solution actually has a specific role that adds to security, rather than just adding complexity.

7.  Be aware of your legal obligations
There are a wide range of legislative and legal requirements regarding the protection of data and failure to comply can have serious consequences for the company. What’s more, negligence in taking preventative measures can lead to the responsible parties, including company directors, being found personally liable.

8.  Remember recovery mechanisms
If an important file is accidently deleted it can usually be recovered easily. But if the key to an encrypted file is lost, access to the data is lost forever. This is unless the encryption solution has intelligent recovery mechanisms; such as one time passwords to self-contained tools that can recover encrypted material even if all keys are lost.

9.  Prioritise the risks
The reality is that an out-of-the-box solution can not hope to exactly match every single specific security requirement of a company. And bespoke solutions are costly and time consuming.  With this in mind the choice should be based upon perceived risks to the organisation; reputational, financial, competitor, and so on.  Weeding out the ‘nice to haves’ from the ‘must haves,’ means that the search is better focused and it is easier to find the best-fit solution

10.  Accept that data protection is worth the investment
Data loss prevention is no easy feat, otherwise it would be inexpensive and there would be no security breeches. Sadly this is not the case.  IT security is a complex task that requires specialist knowledge to provide the best solution, which doesn’t come cheap.  But once this is accepted and the process is carried out properly, the benefits will far outweigh any investment made.

There are technologies that will address one or more of the types of data theft. But the only way to protect against all three is to secure access to sensitive data on fileservers, deskops and laptops by encrypting all of the files and folders on the disk drives. Following these top ten rules will help organisations to avoid the most common mistakes and to find an encryption solution that best suits the way they do business. And best of all they will avoid becoming front page news for all the wrong reasons.