If you think that the security threats to your business data are all external, think again. While the possibility of hackers accessing your network or thieves breaking into the office to steal equipment are still cause for concern, the development of portable data storage devices means that a new threat lies much closer to home. Internal threats are hard to predict and can have a devastating effect. You need to consider where your data is stored, how it is secured physically and electronically, who has access to information and what devices staff could use to connect to the network. Staff may remove data inadvertently or deliberately for financial gain or revenge. Confidential information is easily transported out of your office using writable CDs, DVDs, USB drives, MP3 players or mobile phones. These devices can have a large capacity and are a discreet way for an employee to copy data and walk out of the office without your ever knowing.
Ways to minimize the risk of internal security breaches include:
1. Undertake a risk analysis
This should consider your exposure to data theft and the impact it would have on the business. Ask the following questions:
What data do I have?
Identify whether it is business data or customer data and categorise it, eg financial, personal, operational etc.
How critical is the data to my business?
Customer information may be particularly sensitive. The business has legal responsibilities regarding the privacy and protection of customer data.
What would be the impact on the business if this were stolen?
Identify where and how your data is currently stored and who has physical and electronic access to it.
How and when is this information used?
And equally important, who uses it? Once you have identified the key areas of risk, develop a plan for how to prevent, detect and respond to breaches if they occur. Develop clear policies and procedures to ensure that the plan is implemented effectively and that staff understand their responsibilities.
2. Control access to computers and data
Only provide access to your computer network and data to those who need it to do their job and determine staff’s access to data on a need to know basis. Consider how to separate staff roles and responsibilities so that you can segregate data more effectively. Create individual user accounts for all staff with access to computers and restrict access to drives and folders to specific user accounts. This will allow you to manage their level of access and potentially monitor transfer of data by external media or email. Most operating systems allow you to create standard or administrator level accounts. It is recommended that normal users have accounts without the ability to install software to reduce the chance of spyware or viruses being installed. If you have employees who occasionally need to install or modify software, create two accounts for them. The administrator account would only be used when they need the additional privileges.
3. Install Data Loss Prevention (DLP) software
Data Loss Prevention (DLP) software can disable USB ports and can monitor or restrict the copying of files to USB devices. It can be set to silently monitor transfers or actively stop users from transferring data.
4. Implement access and use policies
Develop policies that outline what equipment and/or data your staff can access and the handling of businesscritical data. Outlining the consequences for breaches of the policy can act as a deterrent.
The policy should cover:
- Who can access business equipment and/or data
- How different types of data and specifically confidential information should be treated, including restrictions on emailing data
- Use and security of passwords including locking access when away from the desk and logging off at the end of the day
- Restrictions on installation of programs and software
- Use of remote access, particularly securing equipment and/or the connection when working from home and the secure transfer and storage of data in a home
- Restrictions on use of computers for storing personal files such as music or video
- Details of your monitoring activity
- Consequences of policy breaches
- Undertake a risk analysis and develop a plan for how to prevent, detect and respond to threats
- Create individual user accounts for all staff who have computer access
- Develop clear policies for employees using computers