10 ways to protect sensitive business data
27 January 2017
In a modern business, communication and collaboration are becoming easier than ever. We can work remotely, we can access documents on our smartphones and check in with our colleagues via Skype whilst on the go. While the increase in this type of working culture is positive, the rise of social media, instant messaging and email – along with the influx of portable devices (smartphones, tablets etc.) and removable media into the office space – means it’s becoming easier than ever for data to leak out of a business.
Your data – be it financial, client, employees or product-based – is a highly valuable asset and it is critical that it is protected. However since confidential data can reside on a number of computing devices (servers, databases, desktops, laptops, USB drives, mobiles), and often moves through a number of access points, it can be difficult to know where to start. In this blog we will outline some of the solutions available to help with the problem of data loss, and how to get started with your data leak prevention project.
What is data leak prevention (DLP)?
DLP is a strategy for making sure that sensitive or critical information is not shared outside of the corporate network. It typically describes any solution or process which identifies and tracks the journey of sensitive data around the enterprise, and enforces policies to prevent unauthorised or accidental disclosure.
Many firms decide to undertake a DLP project to protect their IP or client data, but the complexity of the task, and the resources required to complete and maintain it, often means the project gets pushed to one side.
However as the number of Internet-connected devices continues to skyrocket, it is critical that your business can manage and protect confidential information – and you will only be able to do this with a DLP strategy in place.
How can a data leak occur?
There are usually three categories of data leakage:
- In Transit – Data is intercepted whilst travelling, e.g. via email, web chat, web traffic etc.
- At Rest – Data is captured from areas such as file shares, databases, desktops or laptops
- In Use – Data is captured from screenshots, clipboards, printers, USB disks and other removable media etc.
Each category should be broken down by a business, along with the classification of the information and data (e.g. level of sensitivity and risk). Only when you understand what data you have and what risks you ace can you start to think about controls. The controls will vary significantly by sector, but there are a number of solutions you can implement to ensure your information remains secure.
How can I keep my sensitive data secure?
1. Portable encryption
If sensitive data leaves the secure confines of your firm’s network it should be encrypted. You will need software systems to control this as typically you cannot rely on employees to do it. It only takes a lost USB stick, laptop or phone to deliver a severe blow to a business.
2. Endpoint protection
The data endpoint is typically a computing devices, e.g. desktop, laptop or mobile. It’s on these devices that intellectual property (IP) and other confidential data resides or passes through. Endpoint solutions allow administrators control over what devices are in use, when they have been used, who by and what information has been accessed or downloaded.
Businesses should also have effective security policies in place governing the use of these devices. As many employees will store their email and other documents on their smartphones and tablets, your security policy should cover things such as password complexity, downloads and automatic locking of the device.
3. Email content control
As users often sent confidential information and document via email, it has a high potential for data leak. Content filtering uses deep content inspection technology to scan the text, images and attachments of an emails, to flag up any potential threats and can alert administrators if a user tries to send sensitive or restricted material.
4. Intelligent firewalls
Along with email, IM and internet use also present a risk to your data. Firewalls can protect individual computers and whole networks from security threats, and can take automatic action against potential data leaks, unauthorised access or malicious behaviour by either notifying the administrator or by blocking the activity.
5. Device control
With portable devices, like laptops and smartphones, and removable media, such as USB sticks and iPods, becoming more common in the workplace it’s getting even easier for employees to walk away with confidential data. While endpoint solutions will increase your levels of protection, you should have also security policies which govern the use of these devices. Your policy should cover things like password complexity, download and application guidelines, and automatic locking of inactive devices.
6. Evaluate security permissions
Many businesses give employees far more access than they really need. You should review your current security permissions, and create new access policies that limit employees’ network privileges to what is required for their job. Your system should also issue alerts if employees suddenly start accessing large numbers of documents – above what they would usually work with on a day-to-day basis – or if a user continually tries to access restricted documents.
7. Control print
Multi-function printers (MFPs) are typically unmonitored and therefore have high data leak potential. Requiring users to sign in before use can reduce this, as they will only have access to certain functions and documents. It also prevents sensitive documents from being left on the printer, as the document can only print once the user who sent it to the device signs in.
8. Secure back-ups
Backing up important information is a good policy, but businesses should remember that their backups can be vulnerable too. As with the original files, your backups should be encrypted, and the majority of backup software will have the functionality to do this.
9. Image text analysis
It is not only documents and text which need to be protected, images can be sensitive data in their own right as well. The prevalence of camera-enabled devices, like smartphones, in the workplace make it very easy for employees to copy these images and take them away with them. Data leak prevention solutions have the ability to analyse text within images, preventing data exposure.
10. Educate users
Businesses will often assume their employees know what information is confidential and must not be shared, but data leaks are not always malicious and an employee may not even realise their behaviour is putting the company at risk.
Educating your users on the dangers of data leakage is a useful exercise and one which should be carried out a regular basis to ensure everyone remains aware of the dangers and up-to-date on company policy. A good security policy should be well-defined and easy to understand, this will increase the adoption rate of the policy as employees will be clear on their role and accountability.
The future of data protection
An additional consideration for businesses is the EU General Data Protection Regulation (GDPR), which is coming into force in 2018. Although the UK has voted to leave the European Union (EU), the new regulations could potentially still apply to your company, and you should review your data protection policies and technology to ensure you are compliant.
The GDPR focuses more on what the data is about, not where the data lives. So even if your business operates outside of the EU, and doesn’t process or store any data on EU soil, the new regulations could still apply. If your business offers services to the EU market or holds data about EU individuals or data that could identify EU individuals, then you will need to ensure compliance.
When it comes to data your business should be proactive about its protection. Keep your security solutions and policies up to date, and don’t be afraid to reach out to your local regulatory body or a consultant for advice.