Mark Fullbrook, Cyber-Ark Software: Tips on stamping out Data Leakage & Industrial Espionage during a Recession
February 2009 by Mark Fullbrook, UK Director –Cyber-Ark Software
At a recent monthly gathering of both good and bad hackers in a dingy pub in Leicester Square, I asked them whether the economy was opening up new opportunities for them. The response was an overwhelming yes, with nearly everyone saying that the cut backs had caused jobs to be outsourced and, with less folks in IT looking after security, there would be increased room for vulnerabilities and for mistakes to emerge. They were also quick to state that the sentiment amongst redundant employees was that of disgruntlement and that therefore they were more inclined to exploit loop-holes in their previous employers’ networks.
The hacker community reinforced findings Cyber-Ark had unearthed in a recent survey it had conducted amongst 600 office workers in London’s Canary Wharf, New York’s Wall Street and also in Amsterdam. The study explored whether the recession was affecting peoples’ attitudes to work ethics and data security and, shockingly, it revealed that data theft and industrial espionage were on the up, worryingly not from hackers, but from the workforce itself concerned about impending job losses.
56% of workers surveyed said they were worried about losing their jobs because of the economic climate and, in anticipation, over half admitted to downloading competitive corporate data which they had identified as a useful negotiating tool in preparation to secure their next position. Top of the list of desirable information to steal is customer and contact databases, with plans and proposals, product information, and access/password codes all popular choices with a perceived value.
Memory sticks are the smallest, easiest, cheapest and least traceable method of downloading huge amounts of data which is why, according to the Cyber-Ark survey, they’re the “weapon of choice” to sneak out data from under the bosses nose. Other methods were photocopying, emailing, CDs, online encrypted storage websites, smartphones, DVDs, cameras, SKYPE, and iPods. Rather randomly, yet disconcerting, is that in the UK seven percent said they’d resort to memorising important data!
It’s not all doom and gloom as the survey also discovered that 70% of companies had implemented restrictions to prevent employees from taking information out of the office but that still leaves a worrying 30% unprepared for the snake in their midst.
Top Tips to Ring Fence The Risk So what can companies do to stop data leakage and company secrets being exposed during these very uncertain times? My best advice is to …
1. Only allow people access to the information that they need for their everyday activity. Install multiple layers of security within the organisation depending on the value of the information, in this manner only those that are privy to highly sensitive or important data are allowed access to it. The best way to do this is to have a “digital vault - where you can encrypt the company’s most critical assets and allow only those with privileged access into the vault.
2. Regularly change passwords on admin accounts or privileged accounts which are accessed by more than one user as you will often find that these power passwords are being informally shared amongst those people that shouldn’t be using them. It’s once you change these that suddenly people phone in and ask why they can no longer access the data and you realise just how many unauthorised people were unnecessarily accessing the information. It’s these admin accounts and privileged passwords that hackers will always try and access first as they are often badly managed leaving gaping holes in the network.
2. Drum into your staff the importance of respecting company data and make sure you instil good IT security housekeeping rules. You can have the best IT security products in the world, but if your staff lets you down by stealing the information or, then all your best intentions and investments go out the window – along with the data!
3. Make sure you have an audit trail to the sensitive and important data. That way you can track who has access to what information and can check at all times who is accessing it.
4. Have a strict password usage policy that means that all users within the company have to change passwords regularly mixing numbers, letters and symbols. Do not allow users to know, or worse share, each others passwords. As I mentioned earlier manage and audit the highly sensitive administrative passwords to prevent hackers, and increasingly important insiders, exploiting the systems.
5. Ensure that you have a strict protocol for remote users and administer security products onto mobile devices centrally. Deploy the best, most transparent, encryption solution that doesn’t impede the device or impact the user, otherwise they will do their utmost to bypass it.
6. Have protection in place against data deletion and loss - earlier file versions should be retained, ensuring an easy way to revert to the correct file content or recover from data deletion quickly with minimal disruption.
7. Always use digital signatures so that unauthorised changes in files are detected.
8. Make sure you have end-to-end network protection. Security must be maintained while data is being transported over the network. The process of transferring data has to be, in itself, secure. It should be necessary for users to be authenticated, and access control used to ensure that users only take appropriate action, and that only authorised actions are carried out.
9. Maintain process integrity at all times. As data transfer is an essential part of a larger business process, it is critical to be able to validate that this step in the process is executed correctly. This requires the solution to provide auditing features, data integrity verification, and guaranteed delivery options.
In this current economic climate employers need to be able to trust their staff, however, with everyone jittery about keeping their jobs - the instinct is to look out for number one. The result is that employers need to be stricter about locking down sensitive and competitive information. It would be unthinkable to leave money on a desk, an obvious temptation to anyone passing, instead it is always safely locked away and the time has come for companies to give sensitive information the same consideration. If times get hard, and they invariably will, companies need to ensure that any cutbacks aren’t deeper then expected when stolen data unexpectedly eradicates any chance of survival. CyberArk’s advice is only allow access to your most critical assets for those that really need it, encrypt.