10 ways to protect sensitive business data
27 January 2017
In a modern business, communication and collaboration are becoming easier than ever. We can work remotely, we can access documents on our smartphones and check in with our colleagues via Skype whilst on the go. While the increase in this type of working culture is positive, the rise of social media, instant messaging and email – along with the influx of portable devices (smartphones, tablets etc.) and removable media into the office space – means it’s becoming easier than ever for data to leak out of a business.
Your data – be it financial, client, employees or intellectual property – is a highly valuable asset and it is critical that you protect it. However since confidential data can reside on a number of computing devices (servers, databases, desktops, laptops, USB drives, mobiles), and often moves through a number of access points, it can be difficult to know where to start. In this blog we will outline some of the solutions available to help with the problem of data loss, and how you to begin your data leak prevention project.
What is data leak prevention (DLP)?
DLP is a strategy for making sure that sensitive or critical information is not shared outside of the corporate network. It typically describes any solution or process which identifies and tracks the journey of sensitive data around the enterprise, and enforces policies to prevent unauthorised or accidental disclosure.
Many firms decide to undertake a DLP project to protect their IP or client data, but the complexity of the task, and the resources required to complete and maintain it, often means the project often does not reach completion.
However as the number of Internet-connected devices continues to skyrocket, it is critical that your business can manage and protect confidential information – and you will only be able to do this with a DLP strategy in place.
How can a data leak occur?
There are usually three categories of data leakage:
- In Transit – Data is intercepted whilst travelling, e.g. via email, web chat, web traffic etc.
- At Rest – Data is captured from areas such as file shares, databases, desktops or laptops
- In Use – Data is captured from screenshots, clipboards, printers, USB disks and other removable media etc.
As a business, you should break down each category, along with the classification of the information and data (e.g. level of sensitivity and risk). Only when you understand what data you have and what risks you ace can you start to think about controls. The controls vary significantly by sector, but there are a number of solutions you can implement to secure your information.
How can I keep my sensitive data secure?
1. Portable encryption
You should encrypt any sensitive data which leaves the secure confines of your firm’s network. You will need software systems to control this as typically you cannot rely on employees to do it. It only takes a lost USB stick, laptop or phone to deliver a severe blow to a business.
2. Endpoint protection
The data endpoint is typically a computing devices, e.g. desktop, laptop or mobile. It’s on these devices that intellectual property (IP) and other confidential data resides or passes through. Endpoint solutions allow administrators control over what devices are in use, when they have been used, who by and what information has been accessed or downloaded.
Businesses should also have effective security policies in place governing the use of these devices. As many employees will store their email and other documents on their smartphones and tablets, your security policy should cover things such as password complexity, downloads and automatic locking of the device.
3. Email content control
As users often sent confidential information and document via email, it has a high potential for data leak. Content filtering uses deep content inspection technology to scan email text, images and attachments, to flag up potential threats. It can also alert administrators if a user tries to send sensitive or restricted material.
4. Intelligent firewalls
Along with email, IM and internet use also present a risk to your data. Firewalls can protect individual computers and whole networks from security threats and can take automatic action against potential data leaks, unauthorised access or malicious behaviour by either notifying the administrator or by blocking the action.
5. Device control
With portable devices and removable media becoming more common it’s getting easier for employees to take away confidential data. While endpoint solutions will increase your levels of protection, you should have also security policies which govern the use of devices. Your policy should cover things like password complexity, download and application guidelines, and automatic locking of inactive devices.
6. Evaluate security permissions
Many businesses give employees far more access than they really need. Review your current security permissions, and create new access policies that limit employees’ network privileges so they can only access what they really need for their job. Your system should also issue alerts if employees suddenly start accessing large numbers of documents – above what they would usually work with on a day-to-day basis – or if a user continually tries to access restricted documents.
7. Control print
Multi-function printers (MFPs) are typically unmonitored and therefore have high data leak potential. Requiring users to sign in before use can reduce this, as they will only have access to certain functions. It also prevents documents from being left on the printer, as the document only prints once the user signs in.
8. Secure back-ups
Backing up important information is a good policy, but businesses should remember that their backups can be vulnerable too. As with the original files, your backups should be encrypted. The majority of backup software will have the functionality to do this.
9. Image text analysis
It is not only documents and text which you need to protect, images can be sensitive data as well. The prevalence of camera-enabled devices, like smartphones, in the workplace makes it easy for employees to copy images and take them away. Data leak prevention solutions have the ability to analyse text within images, preventing data exposure.
10. Educate users
Businesses often assume their employees know what information is confidential and what they must not share, but data leaks are not always malicious and an employee may not even realise their behaviour is putting the company at risk.
It is useful to educate your users on the dangers of data leakage and you should carry out sessions on a regular basis to ensure everyone is aware of the dangers and up-to-date on company policy. A good security policy should be well-defined and easy to understand, this will increase the adoption rate of the policy as employees will be clear on their role and accountability.
The future of data protection
An additional consideration is the EU General Data Protection Regulation (GDPR), which will come into force in 2018. Although the UK has voted to leave the European Union (EU), the new regulation may still apply to your company. So you should review your data protection policies and technology to ensure you are compliant.
The GDPR focuses more on what the data is about, not where the data lives. So even you operate outside of the EU, and don’t process or store any data on EU soil, the new regulations could still apply. If your business offers services to the EU market or holds data about EU individuals or data that could identify EU individuals, then you will need to ensure compliance.
When it comes to data your business should be proactive about its protection. Keep your security solutions up to date, and don’t be afraid to reach out to a consultant for advice.