Data Leak – a lurking threat


It is essential for everyone to understand the importance of Data for an organisation and to take ownership for its health and safety.

Carol Wood, a student of University of Virginia was surfing the internet when she suddenly found her social security number (SSN) along with several other confidential data online. She checked and there were similar confidential data available of around 350 more students including their exam transcripts, SSN, credit screening information etc.

Around 150 million customers’ data were stolen and made available online from Shanghai Roadway D&B Marketing Services. More than 465,000 records including driver’s license, social security numbers etc were stolen by a government employee from Georgia Technology Authority. Similarly, around 1,85,000 records were stolen from San Jose Medical Group including SSN, credit card information etc. The list is long and growing at an amazing pace. And all these cases involve someone from inside leaking information, intentionally or unintentionally.

In a study done by an independent institute which identified 43 companies who had suffered data leaks last year, the total cost of coping with the consequences rose to $6.6 mn per leak, with 84 per cent repeat offenders. Especially for the healthcare and financial services sector, the customer discontinued the association with companies that failed to secure sensitive data.

Let’s analyse how and why a data leakage occurs. A few other ways of losing the data via leaks are:
Lax, improper or missing access control systems containing sensitive data, from back-end databases and servers to mobile computers

Insecure transmission of personal identifiable and other restricted data
Insecure and improper destruction of information, encompassing physical locations (dumpsters) and electronic media (laptops and backups)

Lack of separation of duties and access controls on databases and other shared systems
Doing business with providers that allow data leakage (HR sending sensitive information to do background check)

How to prevent Data Leaks:
Some important questions you should ask your IT staff or IT provider are:
Are there any policies and procedures in place to ensure that the organisations data is not “leaking” outside of the network?

Is there any technology in place to monitor these policies?

Is there any way of preventing employees from taking corporate data or sending it to unauthorised parties?

Is our ‘Data Loss Prevention’ policy meeting any compliance requirements we might have (HIPAA, ISMS, GLBA, SOX, etc).

Are we aware of where our most confidential data is being held?

Are we able to audit users’ access to our confidential data?

Primary concern for Data Loss Prevention is to understand what the value of the data is to the organisation and how everyone is responsible for ensuring its ‘health and safety’. In essence, this can only be achieved through a comprehensive understanding of the risk facing your organisation’s data, and educating the people who handle or access it. Training and educating should be mandatory for all people who come into contact with it and this is only the first step. This may appear like a basic concept, but it is one that is often neglected. This is the primary reason for data breaches.

Data is any company’s most valuable asset and ensuring that it is protected against ‘internal’ threats is just as important as securing it against outside threats.

For most companies, data loss is largely attributed to employees. According to a recent Gartner report:
One in every 400 messages contains confidential data
One in every 50 network files is wrongly exposed
Four out of five companies have lost data on laptops

Half of all companies have lost data on USB drives

More than 52 per cent of CIOs (Chief Information Officers) believe data leakage is a top priority in their security spending

A common proverb says: Prevention is better than Cure. It’s important not to wait until a breach occurs to implement data leakage solutions. Without a comprehensive security structure of your network, you may not even know if a security breach occurs.

A Data Leak Prevention system will help you to plug-in the loop holes that you may have in your system. A DLP solution will not only alert you of any breaches, but prevent any devious activities of all the users so that you are aware of activities and take preventive measures.
A few things to look for in a Data Loss Prevention solution are:

Where does the product look for data across your network?

Does it find sensitive data just travelling your network, on your database and file servers, or does it look at data on local desktops?

Can the product search for data without any endpoint agents installed, or does it require a client to be installed on the end-points?

Can the Data Loss Prevention agents accomplish other security-related things on the endpoints?

Some vendors can turn off USB connectors to block someone with a thumb drive from walking away with all of your customer data in their pocket. Others can control which applications can and can’t be run on your workstations, laptops or even tablets.

What protocols can be blocked or analysed?

Just protocols involving e-mail (SMTP, POP and IMAP)? What about file transfer technologies or instant messaging?

What kind of data can be saved by the users on their end-points?

Can they save information like credit card information, SSN, Telephone numbers, etc on their desktops?

How hard is it to create – and then change – the Data Loss Prevention rules?

A DLP tool is only as good as its ability to have rules updated easily over time. Can your IT staff (or outsourced provider) easily update rules as new threats are identified or company policies updated?

What happens when a rule is broken?

Can you figure out who violated the policy, where the offending information is stored, and what kinds of automated responses can be sent? Does the product come with pre-defined templates to make all of this easier?

Is the content analysis portioning a separate or integrated piece of the product?

In some cases, you need several different products to be installed to enable a complete solution.

What kinds of reports are available, and are they easy to understand?

Does the product offer any real-time reporting capabilities, and how flexible are these reports?

How to achieve a successful DLP implementation:
Identify key participants – Assemble those that should be involved internally when you identify data loss. Participants may include IT, HR, and operations employees. Identify the individuals and meet with them to work out what situations they will need to be involved in.

Develop a notification process – Do you have processes ready if a regulated data breach occurs? Who will be notified? Is your legal or compliance team ready to meet requirements such as breach notification laws?

Fix broken business and weak processes – Assume that you will find broken business processes, like automated file transfers to partners in clear text over the internet instead of encrypted or over private line.

Create a plan for handling theft – Talk with HR to establish a process if you uncover insider theft. Give HR a heads up and involve them in the roll-out. The insider may be at a senior level, so consider that as well.

Establish the response team and workflow – Map out your incident handling and resolution process, as a flowchart. Who will be on the incident handling team?
Set a timeline for incident resolution – Set goals for making sure incidents are handled in a timely manner:
First level review of all incidents within X amount of time
Resolve all high severity incidents within Y amount of time
Close all incidents within Z amount of time (resolving incidents within two hours)
Establish reporting and automate – How are you going to track things? Decide what reports you’ll need to have and who should get them. There should be reports for:
Incidents created
Incidents closed
Open incidents status – by age, severity, owner
A report sorted by the type of data or by policy that was violated
Summary reports for your CSO
Plan roll-out stages – It’s important to plan your roll-out in stages rather than trying to attach the problem all at once.

Select data and policies to be implemented in stages
Roll-out and test your policies in a monitor only mode, to set a baseline.
Decide when you will have the solution, notify end users and what you expect of them.

How can DLP help you?
A DLP system primarily helps enforce ‘acceptable use’ policies and processes for an enterprise. They are not designed to solve the part of data leakage problem space that is related to security threats like a virus/trojan attack; it will not stop hackers coming into your system; it will not stop phishing attempts on your corporate e-mail system. So, it is not an information security data leakage issue that the DLP solution is trying to solve.
Hence the DLP solutions help mitigate following risks:
Identifying insecure business processes. For example, use of FTP for transporting PHI data
Accidental data disclosure by employees. For example, employee sending unencrypted email containing PHI data
Intentional data leakage by employees. For example, disgruntled employees stealing data or an employee leaving the company with sensitive data
Stopping users storing and distributing sensitive information in their desktops or mobile devices.

Leave a Reply