It seems that instances of data loss are rarely out of the news these days. Reports of lost personal records or stolen customer data hit the headlines on an alarmingly regular basis, with severe consequences not only immediate financial loss, but also the longer term loss of reputation.
The need for organisations of all sizes to ensure that their data is locked down has never been greater: as of 6 April this year, the ICO (The Independent Commissioners Office) can order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act.
Whilst most data breaches are the result of accidental rather than intentional loss of data, it’s nonetheless imperative for companies to make sure that they have the tools and technology in place that will prevent the loss of sensitive data.
Large amounts of sensitive information and Intellectual Property can be stolen through ‘endpoints’ and with this in mind, here we offer some practical advice on how to avoid the loss of sensitive data from PCs and laptops as well as removable devices such as USBs and CDs.
Educate your employees
This may sound like common sense, however many instances of data loss are simply the result of lack of sound policies around the use of removable storage devices such as USB sticks or laptops. Educate all employees about what is deemed acceptable behaviour on the use of such devices. Once you put such a policy in place, a DLP product can shorten the training cycle, and make it successful. It is also important that you have processes in place for when an employee leaves an organisation, for example handing in mobile phones, changing passwords to internal systems to prevent ex-employees from accessing confidential data, and block access to encrypted data. Also, make sure that your security software is kept up to date to avoid additional vulnerabilities. This means ensuring that you have the necessary patches to keep it safe from known threats.
Lock down all your endpoints
Full Data Loss Prevention strategies need to provide protection from data at rest, data in motion and data in use to ensure that organisations are fully protected. Create and enforce policies for the transfer of sensitive data and build a content-aware data security policy which involves identifying where sensitive information lies and the myriad instances where it might be used. For example, you may wish to set policies around who can send information containing National Identity Numbers or that credit card numbers cannot be emailed or printed.
Classify and Limit access to sensitive data
In order to protect sensitive information it must be recognised for what it is. Most information that organisations hold can be classified into three levels of data: high, medium and low levels of sensitivity. Enforcing these kinds of data classification consistently across email and other electronic documentation improves an organisation’s ability to understand the value of its data and how it is being handled. This also adds an additional level of control to limit the access and movement of data and defines the security clearance of individuals that can access that information.
Organisations can then also ensure that there are systems in place that provide access, and restrictions on the movement of data, on an ‘as needed basis’.
Encrypt sensitive data
Firms should also look at encrypting data on hard drives, USBs, CDs , PDAs and memory sticks if they contain sensitive data. This means that sensitive data cannot be read by unauthorized users in the case of loss or theft. Whilst in the past encryption was seen as an additional burden on IT departments, there are now encryption tools available which are completely transparent, do not require any end user training and do not change the end user experience and common IT procedures. This means that they do not have any impact on the business and can allow users to continue working as usual, without changing their routine.
Seek expert advice
Finally, to ensure that you have identified all areas where data breaches could occur and taken the appropriate preventative action, call in the expertise of an independent assessor. With the proliferation of compliance and data protection requirements it can seem like there is a minefield of different regulations to navigate. An independent expert such as a security solutions provider will be able to provide a professional assessment of measures that need to be taken to ensure compliance and avoid the repercussions of accidental or malicious loss of data.