You wouldn’t think that losing a USB memory stick could cost your company millions of dollars of lost contracts, but that’s exactly what happened to PA Consulting in the UK.
That USB key happened to contain the personal information of thousands of convicted British criminals – citizens that still have a right to privacy. After the government e-mailed the data in an encrypted form to the analyst firm, two mistakes were made that lead to a major data leak. First, the data was copied in an unencrypted format to a USB key. Then it was left in an unlocked drawer overnight.
“If this sensitive data had been on paper, it would’ve been locked away – the same has to be done with portable media, you need lots of barriers to prevent anyone from getting your confidential data,” says Graham Cluley, senior technology consultant at U.K.-based security vendor Sophos PLC. Cluley blogged about the subject.
Last week the British government terminated a contract with PA Consulting worth nearly $3 million. They also said that another $15 million in contracts with the firm were under review. That’s turning into one expensive USB key.
“The lesson is that it’s important to ensure that your sensitive data is encrypted,” Cluley says. “Even if an accident happens or your data gets stolen or misplaced, criminals can’t do anything with it and hopefully won’t even recognize they have anything valuable.”
If only PA Consulting had taken data leak prevention more seriously, they could have avoided this incident. Instead, they’ve made the a government client look bad and now risk losing many millions of dollars.
To make sure a data leak disaster doesn’t hit your company, here are five tips to follow. The straight-forward advice comes thanks to a white paper authored by Barbara Filkins and Deb Readcliff, sponsored by Utimaco and Trend Micro.
Not all data is equal – handle accordingly
An organization must consider where the confidential data is and where it moves to on a routine basis. It is important to know both the type and the form of sensitive data you’re working with, and where it lives on your servers if you’re going to plug the holes and stop data leakage.
“Maybe you’re working on a new advertising campaign with graphics for your Web site,” Cluley says. “That information is not as critical as the information in the finance department that might contain information about what companies you want to acquire.”
All information in an organization should be controlled, the analyst adds, but some should be more tightly buttoned down than others.
Make a map of all the data in your organization to visualize what you’re tackling – where does the data reside and where does it move to? Once these questions are answered, you can see where the weak points might be and move to fix them.
For example, data that moves from one department to the next might be cause for concern, Cluley says. Most often, it is not malicious intent that is responsible for exposing data outside of the organization – it is simply human error.
“There can’t be anyone on the Internet that hasn’t e-mailed the wrong person,” he says. “The accidental data leakage problem is actually huge.”
But with the right understanding of your data map, and the right technology, an organization can put a plug in a data leak.
Back to school – train employees
A company should train its entire new staff on how to recognize sensitive data and handle its transfer through e-mail, instant message, or snail mail, according to the white paper. Staff should know about this, just as they know about other procedures at the company.
Training new staff and re-educating existing staff is essential, Cluley agrees. Many companies will send around pamphlets asking employees if they’re sitting comfortable at their desk to stave off back pain – but few will send around literature regarding data protection practices, potentially a problem that could become very expensive.
“It’s essential to have regular refresher courses to really bring home to people the importance of this,” he says. Good practices at Sophos have prevented data leaks in the past.
In one incident, a man pretended to be Cluley (imitating a bad British accent) and phoned the Sophos Asia offices. The hoaxer claimed his laptop was broken and some information about people he had to meet should be mailed to his Web mail account.
“But the staff immediately knew that they weren’t going to send out any data,” the real Cluley says. “Even though my name was mentioned, they weren’t going to roll over and do what this Graham Cluley was asking them to do.”
Dynamic duo – detection and prevention
A mix of technology, studious network administrative protocols and some traditional lock-and-bolt security will do wonders to curb the chance of a data leak, the white paper advises. Start with looking at the data controls on your network.
Consider the workplace culture when determining who needs access to what data and don’t do anything too restrictive. You want to reinforce your organization’s ability, not to hinder it.
Some software that filters out confidential information and prevents it from leaving the organization through e-mail will help to stop accidental data loss.
“Scour e-mails that leave the organization to look for things that might be sensitive, like social insurance numbers,” Cluley says. “Particular data formats can be identified and alert can go out to have that message blocked by the IT team.”
Take a holistic approach
Much like the Chinese approach medicine, paying attention to the entire mass of data within an organization is important. But this isn’t something attained overnight, it’s something you slowly work towards.
It’s important to take baby steps towards an enterprise-wide data security system, Cluley agrees. Unleash it all at once and you’re likely to find out there’s too many errors to be worked out and productivity is hindered.
“Run a data monitoring program in report mode to start,” he advises. “It will report breaches that happen, but won’t stop them. That’s because your policy won’t be perfect – just because the report registered an unauthorized data use, you might find out it was actually a legitimate transfer.”
Keep your guard up
You’ll need to work hard to keep up the pace and move with your data as it changes. New business partners, new factors affecting your industry, or new consumer trends could pose new data leak risks, according to the white paper.
When working with a new business partner, make sure that a discussion about data security takes place before you start exchanging information. You’ll need to make sure they’re using equal or better standards to the encryption and security standards within your own organization.
“It was the British government that got all the flack for that data leak,” Cluley says. “But they didn’t do anything wrong other than trust an external agency.”
Use a legal contract and if possible, do an audit on the way your business partners operate, he adds. That will give your company confidence that things are really secure.