It has been proven to be relatively easy to bribe someone on the inside – or even plant a rogue employee in the organization — to gain access to sensitive data — but even if we leave this well-documented risk aside, how often has someone left your organization taking company stationery with them? Do you know what else has been taken? Could they have sneaked out with sensitive material? What about a copy of the entire corporate database? Would you even know if they had?
I’ve worked with ERP (large scale accounting suites) for over 10 years. Theres more ways than this describes to lose data – and some of them are not addressed in this article.
1. Restrict data access to only those employees who need it and limit what they can see, and what they can do, with the records.
>> This is typically done for both sales and finance systems. However, you have to keep in mind that most systems are actually very “helpful” and provide a number of ways that the end user can extract the data to Excel, reports etc. If a user can see data, they probably have a friendly programmatic way to extract it to Excel/html/pdf/filetype and send it to their personal account.
2. Appropriately monitor employees’ behaviour, ideally setting control mechanisms to flag any significant deviations from the norm.
>> Within the financial world there is a concept of “Segredation of duties”. This really means that the A/P person can’t create cheques that are cashable; another party has to confirm them. Outside of these formal mechanisms I have yet to see any reasonably good software or manual practice (monitoring) that detect deviations from the norm.
3. Employ a solution that can detect devices trying to connect to the enterprise and sync up with corporate data and force-encrypt information when it is removed, legitimately or illegitimately, from the safe environment of the corporate network.
>> I can imagine the administration of this solution. “Jimmy in R&D can use usbdrives, but bob can’t”. Did I mention adding software to all connected devices to decrypt the data? Fun stuff!
4. Do not make unnecessary hard copies of records or leave them unsecured.
>> achievable. Particularly with backups (tape, etc)
5. Educate the mobile workforce to the risks posed by their activities and the devices that they use.
>> Education does not equal compliance. The majority of the users will ignore these instructions unless they are actually enforced systematically.
6. When an employee leaves, ensure all access rights are revoked immediately.
>> Standard practice and it will work.
7. Never leave a written record of passwords.
>> Standard practice and it will work.
8. Perform background checks on new employees, including contractors and any periodic workers. It may be prudent for these checks to be conducted at regular intervals to ensure that nothing has changed, as is the case for those working with children via the criminal records bureau.
>> I’ve never been in a position to do this, perhaps that would work. How do you sample, which groups do you suspect? Those with access to customer data – that includes a lot of people.
9. Never leave data security up to the end user. It is imperative that this is controlled and managed centrally – which can also reduce TCO (total cost of ownership) as machines don’t need to be locked down or brought in to the office to update them.
>> Standard practice and it will work.
10. Corporate governance – especially with the arrival of rules such as PCI DSS and the Companies Act – requires you now to have security and to be able to prove it. Use a solution that includes a central management console – that way every endpoint is protected and can be tracked.
>> good idea. Haven’t seen anyone do it.
Interesting and relevant article. The bottom line is that who you hire, and their value system, does count. Ask the film industry – everything can be copied if they are trying hard enough.
Morglum
I’ve often said that the current trend for “very secure” passwords (ie passwords that have a random mixture of upper and lower case alphas as well as numbers) are potentially less secure that user generated ones.
The problem is it’s very difficult to remember a meaningless password. So once you have a few passwords floating about (password to log into PC, password for DB, etc) you need to have them stored in some way to recall later.
Therefore users will start writing them down or storing them in text files or spreadsheets on their computer. So you end up in a position where these “secure” passwords are available for anyone to view.
Worse yet, any password can be cracked – be it a dictionary attack or bruit force. It’s just a matter or how long the cracker has to attack the system. Ofcourse the obvious get out would be to lock the account after n failed attempts – and if this is the route taken then user defined passwords should be equally secure again (assuming the user isn’t stupid enough to set their password as “myname” or “password” hehe)
So while in theory a random hash of characters is more secure, I really don’t see that theory translating to the real world.
Personally, the ideal solution would be to move away from passwords altogether. But what then? Digital certificates on USB? Or something much more sci-fi like retina scans (as only a living eye can be used – unlike finger prints)?
…I’m pretty sure, at some point, somebody will try changing their name through deed poll to “;DROP DATABASE” to see what kind of havoc will ensue.
You mean… like “Little Bobby Tables”?
http://xkcd.com/327/