10 ways to protect sensitive business data
January 27th, 2017
In a modern business, communication and collaboration are becoming easier than ever. We can work remotely, we can access documents on our smartphones and check in with our colleagues whilst on the go.
While the increase in this type of working culture is positive. The rise of social media, instant messaging and email – along with the influx of portable devices and removable media into the office space means it’s easier than ever for data to leak out of your business.
Your data – be it financial, client, employees or intellectual property – is a valuable asset. So it’s only right that you protect it.
But with confidential data living on many devices (servers, databases, desktops, laptops, USB drives, mobiles), and moving through many channels, it’s difficult to know where to start. In this article we will outline some of the solutions available to help with the problem of data loss. And look at how you can begin your data leak prevention project.
What is data leak prevention (DLP)?
DLP is a strategy for making sure that sensitive information does not leave the corporate network. It describes any solution or process which identifies and tracks the journey of sensitive data. Or that enforces policies to prevent unauthorised or accidental disclosure.
Many businesses decide to undertake a DLP project to protect their IP or client data. But the task’s complexity and the resources required to complete and maintain it often results in the project never reaching completion.
But with the number of Internet-connected devices skyrocketing, managing and protecting your confidential information is vital. And you will only be able to do this with a DLP strategy in place.
How can a data leak occur?
There are three categories of data leakage:
- In Transit – Data is intercepted whilst travelling, e.g. via email, webchat, web traffic etc.
- At Rest – Data is captured from areas such as file shares, databases, desktops or laptops
- In Use – Data is captured from screenshots, clipboards, printers, USB drives and other removable storage.
As a business, you need to break down each category. Create a list of everywhere you store data and assign them to one of the three categories. Then classify the data in each location (e.g. level of sensitivity and risk) and write this down as well. Only when you understand what data you have and what risks you face, can you start to think about controls.
How can I keep my sensitive data secure?
1. Portable encryption
You should be encrypting any sensitive data which leaves your network. To do this, you need software systems in place since you cannot rely on employees alone. It only takes a lost USB stick, laptop or phone to deliver a severe blow to a business.
2. Endpoint protection
Data endpoints are the machines your employees use, e.g. desktops, laptops or mobiles. It’s on these devices that intellectual property and sensitive data resides or passes through.
Endpoint solutions allow administrators to control what devices are in use. They also let them see when they’ve been used, who by and the information which was accessed or downloaded.
Businesses should also have security policies in place governing the use of devices. Since employees store sensitive information like emails or documents on their smartphones and tablets. Your security policy must cover areas like password complexity, downloads and screen locks.
3. Email content control
As users often send confidential information and documents via email, it has a high potential for a data leak. Using content filtering allows deep content inspection technology to scan for potential threats. Email text, images and attachments can all be scanned this way to flag up potential leaks.
Content filtering can also alert administrators of insider threats. Informing them if users try to send restricted material outside the business.
4. Intelligent firewalls
Alongside email, IM and Internet use also present a risk to your data. Firewalls can protect individual computers and whole networks from security threats. But they can also take automatic action against potential data leaks, unauthorised access or malicious behaviour. This is achieved by notifying the administrator or by blocking the action.
5. Device control
It is now expected that employees will have a smartphone on them at work. For DLP, this means it’s much easier for employees to take away confidential data.
To limit this, you need to have security policies in place governing the use of devices. Your policy must cover things like password complexity, download and application guidelines, and screen timeouts. Without a policy like this, sensitive data will be at risk once it enters an employee’s device.
6. Assess security permissions
Many businesses give employees far more access than they need. Taking a Zero-Trust approach to access permissions helps address this. Zero trust means people only have access to what they will need on a day-to-day basis.
This approach allows you to limit the scale of leaks and prevents employees from accessing sensitive data. You should review your current security permissions and see who has access to what. Then create access policies that limit employees’ network privileges to only what they need for their job.
Your system should also issue alerts if employees act out of the ordinary. For instance, if they start accessing large numbers of documents. Or if a user tries to access restricted documents. These are often signs of a script running or a compromised account.
7. Control print
Multi-function printers (MFPs) are typically unmonitored and so have high data leak potential. Requiring users to sign in before use can reduce this, as they will only have access to certain functions. This also prevents leaving documents on the printer, since the document only prints once the user signs in.
8. Secure back-ups
Backing up important information is a fundamental part of business. But backups can be vulnerable too and are often troves of sensitive data.
As with the original files, your should encrypt your backups. It’s also important to ensure backup servers are not publicly visible such as through the Internet. This makes it harder for attackers to attempt to gain illicit access.
9. Image text analysis
It’s not only documents and text which you need to protect, images can be sensitive data as well. The prevalence of camera-enabled devices, like smartphones, in the workplace has made copying images simple. DLP solutions have the ability to analyse text within images, preventing data exposure.
10. Educate users
Businesses often assume their employees know what information is confidential and what can’t be shared. But data leaks aren’t always malicious and an employee may not even realise their behaviour is putting the company at risk.
It’s useful to educate your users on the dangers of data leakage. You should include it as part of your onboarding process at a minimum. And should carry out sessions on a regular basis to ensure everyone is aware of the dangers and up-to-date on company policy.
A good security policy will be well-defined and easy to understand. Without this, people won’t adopt it since accountability and employee’s roles will not be clear.
The GDPR and data protection
A further consideration is the EU General Data Protection Regulation (GDPR). Although the UK has voted to leave the EU, the new regulation may still apply to your company. So you should review your data protection policies and technology to ensure you are compliant.
The GDPR focuses more on what the data is about, not where the data lives. So even if you operate outside of the EU, the new regulations could still apply. GDPR rules that if your business offers services to the EU market or holds data about EU citizens. You will need to be compliant.
When it comes to data, your business should be proactive about its protection. Keep your security solutions up to date, and don’t be afraid to reach out to a consultant for advice.
Is your business ready to hire a CIO?
What is a CIO? If you don’t know what a CIO is, or want a refresh, check out our existing article on the role of a CIO. Since this article is aimed at businesses who are aware of what a CIO is but want to know if they need one, we won’t be covering it […]
Eight ways to avoid phishing scams
Phishing is a form of online scam in which fraudsters trick Internet users into submitting personal information to what they believe is a legitimate organisation. This can lead to scammers gaining your personal login credentials or the information needed for identity theft. Phishing scams usually arrive as an email pretending to come from a legitimate […]
8 IT predictions for 2011 and beyond
Well, 2010 has been a fairly interesting year. We’ve seen the mobile phone market develop, the iPad launch, storage bulge (as always) and huge marketing of ‘the cloud’. Obviously, times have been difficult but that’s what makes IT interesting. Using technologies and systems to improve business on whatever budget you have (or don’t have). I’ve […]