Stop mass-mailing your confidential info
"The number-one channel for both malicious and inadvertent leaks of valuable, confidential information is plain old email," said Gary Steele, CEO of Proofpoint, Inc.
A recent survey that Proofpoint conducted with Forrester Consulting found that IT directors and managers are most concerned about outbound email threats, especially leakage of confidential memos, valuable intellectual property, and trade secrets.
Steele said that leaks are not always malicious. "Recently, in California, employees of Contra Costa County were inadvertently sending all sorts of confidential information to an email address in Sweden," he said. "Similarly, a court reporter transcribing hearings in the Kobe Bryant rape case accidentally leaked confidential court transcripts when they were emailed to the wrong distribution list."
Steele added that certainly there are also malicious leaks. "A quick scan of sites such as internalmemos.com will show dozens of sensitive internal memos from Fortune 500 companies -- typically sent by insiders to the site's publisher. There are also cases such as the recent AOL insider theft of screen names / email addresses."
For companies looking for technology solutions to this problem, Steele recommended the Proofpoint Protection Server software and Proofpoint P-Series Appliance, which provide a complete message-protection platform that guards against inbound email threats (such as spam and viruses) and helps ensure that outbound messages comply with company policies and external regulations.
Stop careless security practices
Jeff Bowling, founder and CEO of TELXAR, stressed that the best way to plug data leakage is to implement a good security plan, which should not only include the dos and don'ts for the internal network, but also serve as a guidebook for the network administrators. The plan should include the following basic, often overlooked, policies:
- Indicate access hours.
- Specify login credentials and rights.
- Disable outside software.
- Consider internal auditing / intrusion monitoring applications.
- Lock down internal hardware components.
- Perform regular audits on security and resource.
- Disable USB or FireWire ports.
- Restrict mail size and / or block all attachments.
- Disallow use of camera devices within restricted / sensitive areas.
- Define a tight policy on acceptable devices and their usage.
- Define a Point of Contact policy for questions about the network and its contents.
- Execute nondisclosure and confidentiality agreements.
- Define chain of command and escalation procedures.
- Ensure that managers as well as users understand the security plans and policies.
Consider a nontechnical approach
Johnson proposed another tactic. "I'm surprised more companies don't use nontechnical approaches to security." He said that it's possible to perform real background investigations on employees in sensitive positions to see if they have any red flags indicating poor trustworthiness. "I used to work in the defence industry, and this was an absolute rule," he said.
"We also had a rule that secure systems could never be used by a single person in isolation -- there were machine rooms where you had to go in with a 'buddy', sign in and sign out, and keep an eye on each other."
Johnson added that there is probably a business opportunity for someone to apply the defence-type approach to the commercial environment. "Imagine if a specific outsource provider ran civilian systems with the same security standards used by defence. Expensive, and not desirable for every system, but could be very attractive for the most important / regulated data."
Talkback
Intresting data leaking production from file, document thefts: EagleEyeOS Professional www.eagleeyeos.com
Many more good solutions, such us Document Quarantine, File lifecycle tracking, etc.