The Insider Threat; by Sacha Chahrvin, Managing Director, DeviceLock UK.
The demands of the modern workforce are changing rapidly. It’s now a mobile business world, laptops now outsell desktops, wireless is outpacing wired and your average smartphone can do almost anything.
Not so long ago – when businesses were solely run out of an office – it was easy for employers to keep track of their staff and know that everything from the stationary to their confidential information was kept under one roof.
Nowadays, staff can work wirelessly and remotely, business is global and employees expect to work with a myriad of different appliances and gadgets – many of which are capable of storing anything from customer databases to family albums.
The trouble with all this mobility is that it’s not secure. The standard anti-virus and network access control is not enough nowadays. Mobility, in all its weird and wonderful forms, jeopardises business security – and it’s a growing problem.
Recent research has revealed that UK companies trail behind those in Germany and the US in the implementation of policies to prevent data leakage. It also showed that UK end users are less likely to know what type of information is confidential and rarely receive training on data policies.
There is a growing concern that IT networks are becoming too vulnerable to threat from the very thing that they are trying to incorporate – the remote device. The proliferation of iPods, smartphones, PDAs and USB sticks mean that most employees now have personal devices that can store huge amounts of data.
A survey of more than 1,000 UK workers found that 60 per cent admitted to theft of confidential documents, customer databases, business contacts or sales leads. So how do IT managers start to manage the security threats that are raised from these devices?
Vulnerability assessment
Pinpointing areas in the business where mobile storage devices are used regularly is important, this means that you can focus your plan of action accordingly.
Policy
Data loss is either on purpose or by accident, so there needs to be a concerted effort, through training and seminars, to convey the importance of data protection and the legal implications of data theft.
Reduce and limit access to data
Restricting who can access what information can help to control the movement of important data. The easier data is to copy, the harder it is to control, so making sure that the right levels of access are being granted to the right people is important – encrypting data on mobile devices is also a useful measure.
Controlling data
In the US, many companies do not allow staff to enter the workplace with personal devices that have storage capacity. This is becoming an increasingly common business practice, but it’s not failsafe. Investment in technical controls in order to monitor and prevent data being copied and printed without a trace should be the key ingredient of the strategy in managing the threat of data loss.
Endpoint data security enables businesses to allow staff to carry sensitive data in laptops and USB sticks without making data access inflexible and protracted. And this is the balance that IT departments are looking for. The workforce demands easily accessible data at the touch of a button, and the IT department would ideally like sensitive data to be totally secure – which would be impractical for modern working. Additional password authentication will help control who accesses certain systems, and endpoint security software can secure the company’s hardware from theft, or malicious attack through a USB port.
It is not necessarily a struggle for IT security to keep up with all these gadgets and devices, but it is a struggle for them to keep up with how we choose to use those items. Educating employees to try and alter their habits is vital as long as it coincides with the implementation of user friendly security measures such as endpoint security, two-factor password authentication or even James Bond style tracking technology for the most forgetful!
DeviceLock UK is exhibiting at Infosecurity Europe 2009, the on April 28 to 30, in its new venue Earl’s Court, London. The event provides a free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information – visit
