Fifty years ago, the major threat to a business came from another business’ competition or government regulation. Times have changed considerably and those threats, arguably, have taken a back seat to one that can seriously harm a business in a matter of days. This threat is data loss and it has become very commonplace. Recent examples include South Carolina’s revenue system being hacked and information, including social security numbers, being stolen. The consumer deal finder Living Social had some of its data stolen. When sensitive data gets into the hands of unscrupulous people, customers can suffer serious effects and the business can have a horrible public relations problem. This article examines the ways data can be lost and some methods for avoiding the problem.
In general a person can access business data in one of three ways.
The first is having direct access to the data server. This type of access is the one most commonly examined and feared because it can result in the largest amount of data loss. Certainly, physical access to a server is a problem since data can be removed through backup devices and ports connected directly to the server. However, since getting physical access is usually difficult, hackers tend to use electronic access, such as the Internet, to obtain data. When using electronic methods, hackers have to bypass whatever security there is at the entrance point and then bypass any security in the file system. Once the hacker finds a way around this security, everything is accessible.
The second method of accessing business data is through the transmission of the data. Data flows through hardwired lines, fiber optic lines, and even though the air by way of wireless connections. For all of these, there are data sniffers, devices that can record all of the data flowing back and forth. This access method does not provide as much data loss as the first method since the second method only has user requested data travelling over the lines. Nevertheless, if sensitive data is not protected, it can be easily obtained by a hacker.
The final method of accessing business data is through the end devices. End devices are data receivers such as computer screens and printers. These devices show data in nice, neat formats that are easy to read. Printed paper can be read by anyone until secured. Computer screens can be observed by anyone if left unattended. While this method of accessing data results in probably the smallest amount of data loss on an incident-by-incident basis, it happens more frequently than the other two methods. An accountant who has sensitive financial information on the screen might be called away from the desk on an urgent matter. A teacher prints student id numbers and grades and leaves the printout on a printer that anyone can access. A manager walks away from a laptop for a few minutes during which time someone inserts a thumb drive into the laptop and downloads information. These are just a few examples of how sensitive data can be obtained through the carelessness of an employee.
Creating solutions to the problem of data loss has to start with the realization that no security system is perfect. If the goal is to create the perfect data loss prevention system, only frustration will result. The goal instead should be upon creating obstacles for the hacker that take time to circumvent. This extra time may allow security software to catch up and shut down the operation. The extra time the hacker needs might also be a deterrent to the hacker who might then place attention elsewhere. The following paragraphs examine some obstacles that may be placed for hackers in each of the three access methods.
For data loss from the server, the obvious methods are to have password protection for entry into the system and user permissions placed on the folders in the system. But this is where many firms stop, believing this security will stop intruders. However, this is not enough. Software can be purchased that monitors a system for strange occurrences such as massive downloads or frequent access failures. But other methods can be used that involve how the data is stored. Data can be split into multiple files so that a hacker may only get partial data which may not make sense without the other files. Another way is to encrypt the data as it is stored. Modern encryption methods are extremely difficult to break. Thus, a hacker might get the data but then has to decipher it. Another answer might be fake files placed on the server that look like important files to a hacker but really contain junk data.
Preventing the final method of accessing data by an unauthorized user may be assisted with two policies. First, any program that accesses sensitive data should timeout after a given number of minutes. If individual programs cannot be configured this way, then the user’s account should be set to logout after a set number of minutes of inactivity. However, this policy does not solve the problem of printed data sitting in the open nor data on a screen between the time the user leaves and the timeout occurs. To solve this problem, management has to create and enforce a very tough policy about leaving sensitive data where anyone can access it.
Data loss is a huge problem in organizations. While it can never completely be eliminated, the loss can be mitigated through several methods. Some of the methods can be quite expensive; some methods are inexpensive. An organization must recognize that data loss is one of the biggest threats it faces and must take steps to reduce it.