An organisation`s most vital assets are its databases. They contain financial information, customer and employee data and intellectual property. If this data is exposed, the potential for damage can be enormous. However, while millions of rands have been spent strengthening defences against external threats, there is little acknowledgment of the very real threat from within. Increased awareness of common weaknesses or loopholes in organisational security policies and practices can assist to mitigate this risk.
Says Sean Glansbeek, MD of Seven Days Technology (7DaysTech), a mobile application and data security solution provider: "There are ten sure ways to lose your data to internal threats and the majority of these are the result of weak internal policies. These can be quickly and easily exploited for financial gain or retribution by a disgruntled employee. Such weaknesses can also exponentially escalate the damage that can be done out of pure ignorance and/or incompetence.
"These weaknesses primarily relate to access. At the heart of any effective data security solution there needs to be a surefire way of knowing who is accessing corporate data, when and for what purpose. While various employees need to have access to corporate data in the normal course of their duties, the question you need to ask yourself is: would you even know if an employee, or ex-employee for that matter, walked away with a sizable portion of your most sensitive information?
"They could store it on any number of media types, e-mail it, print it or even upload your entire database to an external system, such as Yahoo, Hotmail or a hosted document storage and management solution. Common sense security guidelines based on typical situations that occur within organisations need to be applied if you are to mitigate this very real risk."
7DaysTech points to the fact that there is little that can be done technologically to protect an organisation against opportunistic access to data by unauthorised individuals eg data viewed over the shoulder of an employee using a laptop or other device in a public place, or gaining unauthorised access to data when passwords are shared or left exposed. Much care thus needs to be applied in assigning access rights to sensitive information.
"There is, for example, no viable reason for all employees and departments to be able to access all company information or do the same things with it," says Glansbeek. "Access must be restricted to just the records that are needed to perform the task, with control over which bits of each record can be viewed, combined with limiting what can be done with the record.
"Off-site access to records should also be restricted. It is, furthermore, becoming increasingly critical that organisations be able to detect devices trying to connect to the enterprise and sync up with corporate data. Additionally, making electronic copies of these records should be restricted and, if it is necessary, data should be force encrypted with a solution that does not impede the system, regardless of the device it is stored to, to ensure the integrity of the data is protected once away from the safe corporate environment.
"By the same token, if an employee does not need to print a copy of the data then they should not be able to do so and, if they do, this should be regulated so that there can be no genuine reason for complete records to be printed.
"Another seemingly obvious precaution is to protect data from alteration or worse, deletion, by disgruntled or incompetent staff."
7DaysTech provides some practical advice on how to mitigate these risks:
Ten ways to limit data loss
* Restrict access to only those employees who need it and limit what they can see and do with the records.
* Appropriately monitor employees` behaviour, ideally setting control mechanisms to flag any significant deviations from the norm.
* Employ a solution that can detect devices trying to connect to the enterprise and sync up with corporate data; force encrypt information when it is removed, legitimately or illegitimately, from the safe environment of the corporate network.
* Do not make unnecessary hardcopies of records or leave them unsecured.
* Educate the mobile workforce to the risks posed by their activities and the devices that they use.
* When an employee leaves, ensure all access rights are revoked immediately.
* Never leave a written record of passwords.
* Perform background checks on new employees, including contractors and any periodic workers.
* Never leave data security up to the end-user. It is imperative that this is controlled and managed centrally; this can also reduce total cost of ownership as machines don`t need to be locked down or brought in to the office to be updated.
* Corporate governance requires companies to have security and to be able to prove it. Make sure a combined data security strategy which includes data encryption, data leakage prevention, device management and port control is in place.
Share