Businesses and governments spend a lot of money and effort preventing hackers from accessing sensitive data, and rightfully so: the major data breaches that make the headlines are usually the work of outside agents who use known system vulnerabilities, trickery, and “brute force” methods to get credit card numbers, passwords and other saleable data. It is less well known, however, that many data breaches are carried out by the employees who are entrusted with that data. Sometimes this is deliberate and sometimes accidental, but either way, a data breach can ruin a firm’s business plans, intellectual property strategy and reputation.
There are several steps a business can take to prevent these inside-job data breaches. No method is foolproof, but the right combination of strategies, tools, and enforcement can stop all but the most determined miscreants.
Every employment or contractor agreement should require the employee to read and abide by data access and distribution policies, and should include a non-disclosure agreement. These policies and agreements should be carefully written so there is no ambiguity regarding what is expected and what the penalties are for non-compliance.
But people forget, so it is also prudent to remind them through periodic, mandatory training. This training need not be lengthy or onerous, but it should be frequent enough to keep employees thinking about data security and their role in it.
Another important administrative step is to implement clear data classification definitions: what kinds of information are company-confidential, and what can safely be shared with the outside world. When employees understand what types of data are sensitive and need to be protected, they can follow the rules more easily.
Another advantage of clear data classifications is the ability to control access accordingly. Every employee should have only the access needed to perform his or her job duties. Sensitive data should be kept in database systems with role-based access controls and audit trails that show who did what and when.
There are numerous software systems available that can monitor employees’ activities, and some can even prevent copying certain files or file types to USB flash memory devices, email attachments and web sites. These solutions can be pricey and take time to set up properly, but can be a good investment for businesses that have a lot to lose from data breaches.
What about Employee Privacy?
Businesses have been using computers long enough that most employees understand that the computers and data they use at work do not belong to them, and that they have no reasonable expectation that their activities will go unmonitored on some level—which is another item that should be clarified in the initial employment agreement. Monitoring tools need not be obtrusive, creepy or threatening, and most employees will accept them as long as the software does not place unnecessary burdens on their ability to do their jobs.
You never know when even the most trustworthy people will make bad choices regarding their employers’ data. Every employee and contractor is potentially a fox watching the henhouse. But with well-planned policies and procedures, coupled with appropriate, correctly-configured tools, businesses can make inside data breaches difficult, if not impossible, and keep those hens safe.
Written by Ashok Kumar, Manager, Information Security
Mr. Ashok Kumar brings over 14 years of Information Technology and Information Security experience to iBridge. He has worked in Healthcare, BPO, Telemedicine, Remote IT Infrastructure Monitoring and Management, Software development and Information Security Management. He has an understanding and knowledge network routers, L2 & L3 switches, virtual Cloud infrastructure, Firewalls, UTMs, Server architectures and Server OS platforms including Novell NetWare, UNIX, Windows, Linux, and Solaris.
Ashok has played key roles in system designing and capacity planning for enterprise class data intensive applications for distance learning and diagnostics in healthcare. Recently, he was the lead architect for design and deployment of a failover solution in healthcare for Patient Health Information (PHI) and demographics. He brings a well-balanced approach between budgets, requirements, and maintanance.
He leads the company in ISO 27001 process implementations, threat and risk assessment. He is responsible for all aspects of security at iBridge and maintaining a best-in-class environment for internal users and clients.