Information Security, privacy and ensuring that a company’s confidential data remains top secret and its protection are of pivotal importance in any business. The present day corporation employs multiple layers of security, deploying firewalls, IDS, IPS, HIPS etc. However, we all have chinks in our armor and corporations are no different. Leakages tend to occur at the seams of an organization. These days, we do not hear about cases of a lonely hacker toiling away to gain access to a company’s crown jewels whether it is a coca cola recipie or sensitive code or data, there are much more easier ways to gain access to a company’s data and assets. Read on for a detailed look at the information security hazards often found at a typical office workspace.
1. Laptops: Anyone remember the recent case of bulglary of a Veterans Affairs employee’s home which resulted in the loss of a Laptop containing personal information about more than 25 million veterans and active-duty military personnel. This is so huge. Can you imagine this information falling into forget identity thieves but our nations enemies who now have access to the names, addresses and social security numbers of our soldiers out there. Laptops are valuable, light and easy to steal. Consider an HR employee who loses his/her laptop which was in their car and come back to see it stolen.
Anyone remember the recent case of bulglary of a Veterans Affairs employee’s home which resulted in the loss of a Laptop containing personal information about more than 25 million veterans and active-duty military personnel. This is so huge. Can you imagine this information falling into forget identity thieves but our nations enemies who now have access to the names, addresses and social security numbers of our soldiers out there. Laptops are valuable, light and easy to steal. Consider an HR employee who loses his/her laptop which was in their car and come back to see it stolen.
Solution: Encrypt, encrypt and encrypt. If your Laptop comes with MS Vista, BitLocker can be used to protect files. Bitlocker is an AES based encryption system. Also, external third party tools can be used which encrypt the entire hard drive of a laptop. Now while encryption of critical data is good, make sure you put policies in place that prevent this critical data on a laptop. There is no reason for a sensitive document or a DB to be on your employees’ laptop. If they need access to this data from home, have them VPN in. Put policies in place to prevent employees from dumping sensitive data onto their laptops.
2. USB keys:The storage capacity of the present day USB flash drive increases almost every other day. Today, a 4GB flash drive is very much common place and the fact that they have become so highly affordable, around 60 bucks for the 4Gig drive further fuels the popularity of these drives. In corporations, employees often use these drives to carry and move around documents and data between offices or between their home and work place. Their small size means that they are so easy to misplace these days
The Solution: Thankfully, with the increase in the storage capacity of these flash drives, USB drives also come with encryption built in. Most of them have the option of encrypting data using the 128 or 256 bit AES encryption. Although they are a bit expensive than the regular USB drives, corporations must only allow authorized encrypted enabled flash drives
3. Backup Storage : If your corporation does not have a data center, then you might be employing an offsite storage firm. Now the problem with this is that the discs could get lost or stolen.
Solution: Encrypt the storage disks before sending them off site for storage. Also, if possible try to transmit this data electronically instead of physically if possible.
4. Cell phones and PDA’s: Smartphones and PDA’s most notably the blackberry has silently made its way into the corporate life replaced the good old pager or getting there. They are usually deployed to people who are on call 24/7. The problem is that not every one is given these expensive blackberry’s. They are given to managers or senior employees or members of a critical team. The more important the people, the more important and critical data makes its way to these hand held devices and more vulnerable to theft and loss of critical information.
The Solution: BlackBerry handhelds come with secure enterprise servers which when properly intergrated provides the right amount of data. Also, as with any handheld device, encrypt sensitive data on the device itself. With Cell phones,disable features such as Bluetooth and automatic downloads.
5. Dumpster diving: The recent example of a England bank disposing of critical information about its customers in dumpsters sent shockwaves throughout. This example only highlights what is a super easy way for identity theft thiefs and criminals. Almost a lot of corporations have shredders available, but the critical data comes out from the trash bin under the employee’s desk.
Solution: Employ specialized companies like IronMountain or Shred-It to handle document destruction. Also, deploy shredders in the copy room besides having Iron Mountain bins locked up with just a small vent for allowing paper to go through. Also, employee training on how to handle and dispose of sensitive data is important.
6. Fax Machines: While almost in the list of endangered species, the fax machine still exists in most corporations. However problems exist in that employees might fax something and then walk away whereas the machine later generates a fax report containing a copy of the document it just faxed along with the name and fax number of the person the fax was sent to.
Solution: Restrict access to fax machines and appoint certain people in groups, maybe a tech lead for faxing tasks. Also, deploy computer based fax servers to reduce the risk of mistyped fax numbers.
7. Portable Media Players: This probably involves placing restrictions on one of employees most demanded requests, the use of portable media players like the iPod. Unfortunately, an iPod is also a hard drive which could then be used as an external hard disk to copy and paste sensitive corporate data or code in there and walk out.
Solution: Employ an Host based Intrusion Prevention System(HIPS) product and set the rules accordingly where all external USB drives will not have access to read/write. This would allow employees to recharge their iPods too if needed through their USB cables connected back to their iPods.