Companies must beware of internal data theft

In today's technology-driven world where most data and company information is stored electronically, companies must beware of internal data theft.

It is no longer acceptable for companies to think of information security as the sole responsibility of the IT department. This is the view of J2 Software managing director John Mc Loughlin.

He says it is the duty of each organisation to protect their information including company trade secrets, personal customer information, sales data and channel strategies.

"It seems that everyday we hear of one or other corporate conspiracy and there are ever-growing numbers of stories of companies losing sensitive corporate information because of their trusted users; no longer only through external criminals.

"There are also an ever-growing number of cases where sensitive or confidential company or customer information is leaked to competitors or fraudsters looking to turn a quick buck. These breaches are often discovered long after the event once the damage has already been done," he explains.

"Just how much of your company data are you willing to lose?" he asks. "It is abundantly clear that today there is a growing need to protect company information, and to know what is really transpiring on the corporate network. Company directors and CEOs can now be held personally responsible for losses of intellectual property and customer information. The directors of organisations have a duty to protect their information assets; a duty towards their staff, customers and shareholders."

It is nearly impossible to monitor all the data activity via pure human supervision. There is therefore an absolute need for automated data management solutions considering that there are such massive volumes of data now being stored and transmitted. Without the right tools it is impossible to get an accurate overview.

"You can then add to this the growing list of local and international statutory compliance regulations which must be adhered to and followed. Today, it seems that modern day executives have far more to plan for, even before they get down to doing business," says Mc Loughlin.

Recently it was reported that Nationwide Building Society, a UK financial services provider, was fined $1.9 million after a laptop containing sensitive customer data was stolen from an employee. The Financial Services Authority (FSA) fined Nationwide following an investigation into the theft which occurred at the employee's house. According to the FSA, Nationwide was guilty of failing to have effective systems and controls in place to manage its information security risks.

"How long before these rulings are commonplace in South Africa? Today, not only the company can be held liable for losses due to breaches in information security, but the company's directors can also be held personally liable if the correct information security procedures are not implemented."

Mc Loughlin says this responsibility should be seen as a strategic decision, not purely an IT-related issue. "The modern organisation must be well equipped and do everything it can to protect its corporate information. In order to cover all these areas, an organisation must ensure it is protected from external and internal data security threats."

These would include the obvious viruses, external hackers as well the internal user threat. As much as 80% of information security breaches come from the trusted internal user. With this in mind, it is imperative that organisations know exactly who has access to what corporate data.

Until recently, the primary focus was on inbound threats where all effort was spent on the need to keep the information technology environment secure from external threats. To this end, major technology solutions have emerged that focus on preventing intruders and hackers from accessing an organisation's IT network and resources.

With the advent of mobile technologies and removable devices it has become extremely easy for the outbound movement of data from within the previously assumed secure confines of an organisation. Mobile phones, USB thumb drives, DVD/CD drives, Disk on Key devices are freely available at affordable prices that make it easy for individuals to copy, store and remove sensitive information without arousing suspicion of theft.

The emergence of the Internet as a powerful medium for communication has given rise to numerous Web-based e-mail services which provide huge mailbox storage capabilities thereby allowing individuals to e-mail out large extracts of sensitive data bypassing the organisation's secure e-mail systems.

Unfortunately, organisations only realise this after a breach has occurred and by then it is too late.

To know whether ones organisation has all aspects covered, one can answer these questions (one should be able to answer these in seconds, rather than weeks or months):

1. Do you know exactly who is accessing sensitive data?
2. What are they doing with it?
3. Where are they moving or copying the data?
4. Are your corporate secrets secure?
5. Are your users sending sensitive data outside of the organisation?
6. Do you know what the users are really doing?
7. Are your users wasting valuable time and bandwidth on non-work-related activities?
8. Are you convinced that company intellectual property is not being stolen?
9. Is your data being stolen?

Fortunately with 'new' threats come 'new' ways to manage them. In order to retain competitive advantages, aid governance requirements, restrict the leakage of sensitive data and information to outside the organization, the modern organisation must look to implement a state-of-the-art information leakage detection and prevention solution.

This solution must provide a practical approach to solving this business dilemma, one which minimises the effort involved in securing and monitoring the access, use and user activity in terms of the organisation's information. This solution will protect enterprises from "the enemy within", by allowing organisations to monitor, restrict and control the activities of individuals or groups of users, thereby easily enforcing information security policies across the enterprise.

Mc Loughlin says this should also provide the ability to view, record and restrict activities, including Internet, e-mail, instant messaging and application-specific activities. "One has to ensure the solution provides detailed user activity logs, which can be seen in a simple-to-read manner.

"The modern solution cannot be a simple monitoring product which only provides a report reactively once a security breach has occurred; you must ensure the solution chosen also provides proactive security features. This proactive functionality prevents policy breaches before they occur by continually and automatically screening all activity, and can be configured to prevent inappropriate activities or lock users' PCs when the company's policy has been broken.

"Because this is a strategic decision, one must ensure that all management, not only IT specialists, can use the security solution to get meaningful business information. While the modern business executive has so much more to cover than ever before, there are ways and means to cover these information security holes in a simple, yet effective manner," he concludes.