Data loss deluge during downturn
Overtis Systems, a provider of insider threat management solutions, warns organisations to prepare themselves for a data loss deluge during the economic downturn
Citing an increase in transient staff, higher staff turnover and a growing black market hungry for information, Overtis Systems is urging UK organisations to update their data access procedures to counter these threats with a Ten Point Plan.
Several drivers are responsible for the increase in data leakage over the past year. There has been a surge in the use of casual staff, with companies using more contractors and outsourcing core operations. This in turn has lead to greater fluidity of data and a heightened risk of security compromise. Meanwhile, temporary and permanent members of staff, uncertain of the future, are purloining data to further their own careers, often without realising their actions are detrimental to the company. Others, concerned about their own finances, are selling sensitive information to a burgeoning black market. And an increase in redundancies is also causing problems, with dismissed members of staff more likely to steal data either for their own ends or to cause their former employer operational problems.
Overtis is not alone in recognising the increased threat. A recent report from KPMG showed higher losses from August to November 2008 than the previous eight months and KPMG predicts a rise in data loss incidents during 2009 which will see figures double those of 2008. In effect, anyone with access to internal systems, organisational structure, processes and procedures or with trusted access to systems and networks now poses a threat and unless radical steps are taken, intellectual property will continue to be misappropriated at an alarming rate, share prices will suffer and economic confidence will be further eroded.
Overtis recommends organisations adopt the following Ten Point Plan to prevent data leakage:
1. Implement a strong employee joining and exit process – email and network access needs to be revoked quickly and mobile devices recovered when an employee leaves. New members of staff need only be given access to the resources they need to perform their role.
2. Educate staff – ensure data is only accessible to staff on a need-to-know basis or push data to relevant individuals
3. Avoid remedial action – Don't seek to address a security breach with a point security product but take a systematic approach to the whole enterprise. Controls need to be in place between the user and the data not on the network or gateway.
4. Identify assets and information flows – Address potential pain points by mapping all of the intellectual property you have and modes of access.
5. Restrict the manipulation of data – Plan who needs access and whether they have the authorisation to print, change or export data over email, IM or to removable devices. It's also now possible to apply restrictions to specific content within a document or by time and location.
6. Watch the gatekeepers – System administrators and privileged users should be subject to the same change management and critical server file integrity checks.
7. Don't overlook the obvious – Do put in place procedures to prevent the export of data to USB sticks, MP3 players etc. Do scan outgoing email for confidential attachments. Do restrict copy and paste over Instant Messenger and other social networking media.
8. Use encryption – Where you do permit data export to mobile devices and removable media, ensure it is encrypted.
9. Use two-factor authentication – Don't rely on passwords; they are often written down and are relatively simple to crack. Always combine a password with a secondary method of authentication. Sophisticated systems such as finger vein readers are simple and cannot be easily subverted.
10. Combine your security arsenal – While many organisations have biometric access systems, CCTV and even RFID, few have taken the logical step of joining these together with the IT security system. Integrating the physical with the virtual can provide the requisite evidence of a data breach, for example marrying a screenshot of a file being exported with CCTV footage of the perpetrator. Evidence can also be used to enhance staff productivity, by illuminating how data is used.
"Businesses are surfing ahead of a wave of data loss," said Jeremy Barker, Executive Director, Overtis Systems. "Those that don't use the right balance of policy, process, technology, and user education will get wet. Data breaches often hit hard, with company share prices nose-diving for at least 18 months. If we act now, organisations can stem the tide and reap additional benefits, improving their understanding of how data is used. By adopting our advice, companies can mitigate data loss and enhance the user experience, increasing productivity and efficiency; no mean feat in today's economic climate."
About Overtis Systems
Overtis Systems is the information security division of Overtis Group Limited specialising in the provision of advanced integrated physical and logical security solutions for the protection of high value physical, human and information assets. Its unique VigilancePro™ information security software solution delivers comprehensive insider threat management, including data loss prevention.
For more information please contact Sarah Marsh, Kudos PR, Tel: +44 (0)2392 00 65 10 or email sarah.marsh@kudospr.com
