10 ways to protect sensitive business data
January 27th, 2020
In a modern business, communication and collaboration are becoming easier than ever. We can work remotely, we can access documents on our smartphones and check in with our colleagues whilst on the go.
While the increase in this type of working culture is positive. The rise of social media, instant messaging and email – along with the influx of portable devices and removable media into the office space means it’s easier than ever for data to leak out of your business.
Your data – be it financial, client, employees or intellectual property – is a valuable asset. So it’s only right that you protect it.
But with confidential data living on many devices (servers, databases, desktops, laptops, USB drives, mobiles), and moving through many channels, it’s difficult to know where to start. In this article we will outline some of the solutions available to help with the problem of data loss. And look at how you can begin your data leak prevention project.
What is data leak prevention (DLP)?
DLP is a strategy for making sure that sensitive information does not leave the corporate network. It describes any solution or process which identifies and tracks the journey of sensitive data. Or that enforces policies to prevent unauthorised or accidental disclosure.
Many businesses decide to undertake a DLP project to protect their IP or client data. But the task’s complexity and the resources required to complete and maintain it often results in the project never reaching completion.
But with the number of Internet-connected devices skyrocketing and remote or flexible working being so huge since the Covid-19 pandemic, managing and protecting your confidential information is vital. And you will only be able to do this with a DLP strategy in place.
How can a data leak occur?
There are three categories of data leakage:
- In Transit – Data is intercepted whilst travelling, e.g. via email, webchat, web traffic etc.
- At Rest – Data is captured from areas such as file shares, databases, desktops or laptops
- In Use – Data is captured from screenshots, clipboards, printers, USB drives and other removable storage.
As a business, you need to break down each category. Create a list of everywhere you store data and assign them to one of the three categories. Then classify the data in each location (e.g. level of sensitivity and risk) and write this down as well. Only when you understand what data you have and what risks you face, can you start to think about controls.
How can I keep my sensitive data secure?
1. Portable encryption
You should be encrypting any sensitive data which leaves your network. To do this, you need software systems in place since you cannot rely on employees alone. It only takes a lost USB stick, laptop or phone to deliver a severe blow to a business.
2. Endpoint protection
Data endpoints are the machines your employees use, e.g. desktops, laptops or mobiles. It’s on these devices that intellectual property and sensitive data resides or passes through.
Endpoint solutions allow administrators to control what devices are in use. They also let them see when they’ve been used, who by and the information which was accessed or downloaded.
Businesses should also have security policies in place governing the use of devices. Since employees store sensitive information like emails or documents on their smartphones and tablets. Your security policy must cover areas like password complexity, downloads and screen locks.
3. Email content control
As users often send confidential information and documents via email, it has a high potential for a data leak. Using content filtering allows deep content inspection technology to scan for potential threats. Email text, images and attachments can all be scanned this way to flag up potential leaks.
Content filtering can also alert administrators of insider threats. Informing them if users try to send restricted material outside the business.
4. Intelligent firewalls
Alongside email, IM and Internet use also present a risk to your data. Firewalls can protect individual computers and whole networks from security threats. But they can also take automatic action against potential data leaks, unauthorised access or malicious behaviour. This is achieved by notifying the administrator or by blocking the action.
5. Device control
It is now expected that employees will have a smartphone on them at work. For DLP, this means it’s much easier for employees to take away confidential data.
To limit this, you need to have security policies in place governing the use of devices. Your policy must cover things like password complexity, download and application guidelines, and screen timeouts. Without a policy like this, sensitive data will be at risk once it enters an employee’s device.
6. Assess security permissions
Many businesses give employees far more access than they need. Taking a Zero-Trust approach to access permissions helps address this. Zero trust means people only have access to what they will need on a day-to-day basis.
This approach allows you to limit the scale of leaks and prevents employees from accessing sensitive data. You should review your current security permissions and see who has access to what. Then create access policies that limit employees’ network privileges to only what they need for their job.
Your system should also issue alerts if employees act out of the ordinary. For instance, if they start accessing large numbers of documents. Or if a user tries to access restricted documents. These are often signs of a script running or a compromised account.
7. Control print
Multi-function printers (MFPs) are typically unmonitored and so have high data leak potential. Requiring users to sign in before use can reduce this, as they will only have access to certain functions. This also prevents leaving documents on the printer, since the document only prints once the user signs in.
8. Secure back-ups
Backing up important information is a fundamental part of business. But backups can be vulnerable too and are often troves of sensitive data.
As with the original files, your should encrypt your backups. It’s also important to ensure backup servers are not publicly visible such as through the Internet. This makes it harder for attackers to attempt to gain illicit access.
9. Image text analysis
It’s not only documents and text which you need to protect, images can be sensitive data as well. The prevalence of camera-enabled devices, like smartphones, in the workplace has made copying images simple. DLP solutions have the ability to analyse text within images, preventing data exposure.
10. Educate users
Businesses often assume their employees know what information is confidential and what can’t be shared. But data leaks aren’t always malicious and an employee may not even realise their behaviour is putting the company at risk.
It’s useful to educate your users on the dangers of data leakage. You should include it as part of your onboarding process at a minimum. And should carry out sessions on a regular basis to ensure everyone is aware of the dangers and up-to-date on company policy.
A good security policy will be well-defined and easy to understand. Without this, people won’t adopt it since accountability and employee’s roles will not be clear.
The GDPR and data protection
A further consideration is the EU General Data Protection Regulation (GDPR). Although the UK has voted to leave the EU, the new regulation may still apply to your company. So you should review your data protection policies and technology to ensure you are compliant.
The GDPR focuses more on what the data is about, not where the data lives. So even if you operate outside of the EU, the new regulations could still apply. GDPR rules that if your business offers services to the EU market or holds data about EU citizens. You will need to be compliant.
When it comes to data, your business should be proactive about its protection. Keep your security solutions up to date, and don’t be afraid to reach out to a consultant for advice.
What can business leaders learn from a cybersecurity breach?
As attacks against IT infrastructure are typically all about the money, they are increasing in frequency and sophistication. It’s, at best, embarrassing to have a breach, but at worse it can destroy a business. As with business continuity, a significant percentage of business leaders do not take cyber-security seriously until they get burnt. It can be difficult […]
How to reduce risk by aligning business strategy and IT strategy
On the ‘business’ side you have the long term business strategy and plans or business requirements. On the other side lies the IT function. This visible gap is where misalignment begins, but it’s often compounded by the negative preconceptions each side holds of the other. What business executives think of the IT department What IT […]
How to create an email retention policy
Email retention policies are all about decreasing the risk to your company. But for a truly successful policy, you need to strike the balance between a retention period which is too long and keeps useless mail around and one which is too short and loses mail that was important. Your policy needs to take into […]