Aug 23 2013

Protecting Company Data from Prying Eyes

Take these steps and reassure partners and customers their data is safe and secure.

There are those who consider former NSA contractor Edward Snowden a whistle-blowing hero. Others believe he is a traitor. Be he enemy of the state or martyr to the cause of public disclosure, the documents the current fugitive leaked reveal something very important: the stunning degree to which the U.S. government has been keeping tabs on American citizens.

Unfortunately, there's not much, if anything, that can be done about the government tracking your business's electronic communications. There is, however, a number of proactive steps IT workers can take to block others, such as criminals or unscrupulous competitors, from taking a peek at — or outright stealing — your company's private data and customer information.

Secure All Mobile Devices

Missing smartphones are quickly catching up with lost notebooks as the chief source of corporate data breaches. Gadget insurer ProtectYourBubble reports that an incredible 113 smartphones are misplaced or stolen every minute in the United States. But while the value of lost hardware is enormous, the cost of business and customer data making its way into the wrong hands is practically incalculable.

Technology can help if used wisely. For notebooks, go beyond basic malware protection by adding full-disk encryption. Every major security vendor offers this, and there's even a free utility from TrueCrypt.org (though it can't be centrally managed, like those from security vendors). It's not enough to encrypt directories; entire disks need to be protected, with a product that works before the operating system boots.

Parallel protection for smartphones, which don't support pre-boot encryption, involves remote-wipe technology implemented through mobile device management (MDM) — turning a lost or stolen phone into a paper-weight before any data is lost.

Be sure that bring-your-own-device users know about your MDM solution's remote-wipe policies. It might actually encourage them to back up their smartphones and tablets, a rarity today.

Encrypt, Encrypt, Encrypt

Most major network-attached storage appliances offer encryption as an option, while server OSs allow for data disks to be encrypted at least. And be sure to regularly encrypt all backup files.

Online data storage services, meanwhile, encrypt files in transit, but be sure to check that they offer encryption for files residing on servers as well.

Encourage Password Best Practices

Employees usually say they don't share passwords with coworkers, but they often do — just check the logs. Try sending an email blast reminding everyone about security best practices, including the fact they must never, for any reason, send any passwords through email. A week later send a second email from a random IT person asking for passwords to help with system maintenance. Count the percentage of passwords returned — usually a third to half — and weep. Then resend the email explaining security best practices once again and revealing your findings.

Teach Data Loss Prevention

Although DLP tools have matured tremendously, employees still play a critical role in keeping data safe. Even companies with a DLP system in place should explain the consequences of data leakage.

Also, see where you keep customer financial information. Determine ways to keep it off your system, as the less customer data you store, the less you stand
to lose.