Prevent Vital Business Data from Walking Out the Door

Staff come and go. But data, like diamonds, can last forever. People shuffle desktops, laptops, smartphones and tablets around, and within each device can be a treasure trove of so-called dark data, defined as data that is unmanaged and untracked by an organization.

When this type of data is left on notebooks, phones and other mobile devices and isn’t backed up, it can easily be lost when hard drives crash or employees leave. No one wants to discover that crucial data was accidentally given away, left on a hard drive in a long-departed laptop or inadvertently sold online. Here are some tips for preventing dark data loss.

Build infrastructure that encourages managed data storage When a solid and speedy infrastructure is in place for users to store documents, local copies aren’t necessary. Old-school file servers are not flexible enough for mobile workers, but newer technologies — including enterprise file sync and share products, such as Citrix ShareFile, or cloud-based services, such as Dropbox and Microsoft Office 365 OneDrive — provide ways for users to share and store documents without leaving them vulnerable on their own devices.

Those services and products all offer business-oriented variants, including such features as integration with Active Directory; controlled sharing with external users, such as suppliers or business partners; central management of access controls and file protections; and integration with collaboration tools.

Discourage Local Storage and Encourage Regular Clean Up

While building up a good infrastructure to replace hard drives, start withdrawing support for local storage. Stop running backups on end-user desktops or laptops — and loudly announce that it’s stopping, as a way to make clear that storing data on local PCs is a big risk.

There’s a second benefit to pushing data off PCs and onto central storage: Ransomware can’t do much damage if all of the important data is in one place and backed up regularly.

The organization’s desktop and ­laptop management style should also encourage regular hard-drive wiping. Reimaging PCs (rather than trying to save user data) will send users a message that their local hard drive is not a good place for storing data.

Add Encryption Everywhere for User Devices

Start encrypting all disks in user devices. Encryption is no longer a performance killer, and all modern operating systems allow users to turn on encryption easily if it’s not already on by default, which it is for most smartphones. Any laptops or desktops should have full-disk encryption enabled — not just individual file systems or partitions (such as Windows Encrypting File System).

Modern versions of Windows can use BitLocker to encrypt entire hard drives, with good Active Directory integration (for key recovery), in domain-joined PCs. For users who want to work on their home PCs, encourage and enable the same infrastructure setup that company-owned devices have.

Encryption should be mandatory for anyone working on their own PC. It may be necessary to provide a third-party encryption tool — a wide variety are available — or to offer help in setting up Windows Device Encryption, a more consumer-oriented disk encryption tool.

Beyond end-user devices, add an encryption layer to enterprise file sync and sharing as well. Because many of those tools cache copies of directories on each linked device, take care to encrypt the cache itself, above and beyond the device encryption. That ensures, for example, that a PC that’s sent to charity (with the administrator password written on a note card) won’t leak dark data.

Use Tools that Detect Problems and Enforce Rules

In organizations where most users work on domain-joined PCs, detecting excessive local storage is easy, both through commercial products and even homegrown login scripts. Simple tools that look for a large number of Microsoft Office documents or aging documents of any kind can also perform automatic cleanup or warn users and administrators that there’s a risk of dark data.

For other devices, including smartphones and nondomain PCs (such as personal laptops or Macintosh systems), detecting a stash of corporate data is much more difficult. One option some IT managers have explored is using the posture-checking tools built into VPN clients to run a quick scan on devices as they connect to the corporate network. However, differentiating between a pile of corporate data (that’s bad) and a pile of personal data (that’s to be expected) is almost impossible.

Smartphones and tablets are a little easier in that regard, with containerization technology that creates split home/work environments, providing additional protections to the work side of the devices. Making containerization mandatory, and offering to pay for the license, can reduce the risk of data loss.

Train Teams Properly on Dark Data Risks

Building an infrastructure to discourage dark data in the first place is one of the keys to preventing dark data loss. But user awareness also helps. As IT shifts users away from storing data locally, make sure they understand why it’s happening and what they should be doing to reduce the risk of loss. Experience shows that users will make good decisions if they know why they are being asked to do something — even more so when doing the right thing is the easiest option.

Supplementing that training with a cybersecurity awareness program is one option. But consider other ways to make the point. For example, login scripts that check for inappropriate data storage can pop up a message telling users that they’re doing something that violates policy — and report repeat offenders to a manager who can deliver a more emphatic message.

Many technology-based security solutions are on the market, but smart decision-making by employees and ­organizational leaders goes a long way. That’s particularly true with dark data, which is fundamentally a problem caused by (and therefore ­solvable by) humans.