March 2013

Data: Protecting What’s Private

Protecting What’s Private: Tips for protecting data from internal breaches and external threats

By: Justin Hadler, Hardware.com

Widespread panic is an understatement when an organization’s data falls into the wrong hands. Whether information is financial, medical, or simply personal, it’s crucial that sensitive data be protected from unauthorized individuals. Unfortunately, organizations are increasingly finding it necessary to protect themselves from both internal threats and external attacks. In fact, the Verizon 2012 Data Breach Investigations Report, which studied 855 data breach incidents occurring across the globe in 2011, involved 174 million compromised records[1]. This was noted as the second-highest data loss that the annual report has recorded since 2004. Since a data breach can be detrimental to business productivity, reputation, and profit, it’s important for organizations to take data privacy seriously—no matter their size.

Although each organization will vary in its approach to data privacy, it’s ideal to implement a variety of security measures. Chief Security Officers (CSO’s) can simplify the development of a data privacy strategy by focusing on privacy policies, bring your own device (BYOD) risks, web threats, and methods for securing internal data.

A Guide to Privacy
Without rules or governance, a data privacy strategy is not very effective. By implementing an internal privacy policy, organizations demonstrate that data privacy is a serious issue. A privacy policy is an employee document that clearly defines a company’s expectations for handling company, client, and customer information. It includes email, internet, and mobile device guidelines, laws, and regulations, as well as consequences for violating the proposed rules. The policy should also outline how to report a security breach so that attention can be given to the issue in a timely manner and should be updated as new threats and best practices are identified. In addition, employees should be required to attend training sessions that teach them about data privacy risks and how they can keep data from leaving company walls.

The BYOD Bubble
With more and more organizations allowing personal devices in the workplace, it is clear that the BYOD trend is here to stay. Workers are increasingly accessing company information using tablets, smartphones, and even removable storage devices such as USB flash drives. In a November 2012 survey, Blue Coat, a provider of web security and WAN optimization solutions, found that 71 percent of the 350 respondents accessed their company network with their personal devices[2]. Yet only 37 percent of information technology (IT) administrators believed employees were using personal devices for this purpose. It’s important that IT personnel are aware of the growing interest in BYOD, whether or not their organization allows it. Data privacy can easily be compromised if users lose personal devices or share them with others. For this reason, it’s crucial that all devices, not just computers or the primary device, are carefully managed with password protections, encrypted data, and antivirus software. All employee devices should conduct automatic updates so that the latest web browsers, operating systems, and security software are installed. If a device becomes infected, network administrators should have a way to quickly disable network access so that malicious content does not spread to other connected devices.

A Secure Web
It should be no surprise that many websites on the internet pose security risks. According to Google Inc., the corporation comes across 9,500 new malicious websites each day and responds by sending notifications to webmasters. Despite Google’s monitoring efforts, there are many harmful sites that may not be detected in time. If employees don’t have the most up-to-date antivirus software, an unintentional click can cause their device to become infected.

Although not intended to be malicious, social media sites can also present major security risks for web users. Because Twitter, Facebook, LinkedIn, and other similar sites are trusted, employees often let their guard down when using these channels. However, they need to be extremely careful, since there is no shortage of cybercriminals and spam on these sites. Spam is sometimes disguised as a link for a retail offer on a friend’s page or in a private message. Organizations should warn employees to never click on suspicious links, because these often contain malicious content capable of harming computers and stealing login information. This can be especially detrimental for employees who handle corporate social media accounts. In some cases, organizations may want to consider restricting access to social networks altogether in order to maximize their network security.

Sometimes a hacker strikes without anyone knowing until it is too late. Instead of simply having a reactive plan in place, organizations should consider proactive solutions that work in real time to identify hackers before they attack web applications. This can be accomplished with a sophisticated intrusion prevention system that will detect, track, profile, and prevent hackers as attacks happen.

Lockdown on Data
Data security is always critical, whether the data is in use, at rest, or in motion. If not, a hacker who gets beyond a firewall or other security measure has sensitive data right at his or her fingertips. One famous example occurred in the summer of 2012 when the South Carolina Department of Revenue had as many as 6.4 million records stolen, many of which included personally identifiable information (PII) such as Social Security and credit card numbers[3]. Verizon’s report also noted that 81 percent of the 855 breaches in 2011 utilized some form of hacking[4]. To keep data safe, organizations should use encryption so that even if information is stolen, it will be unreadable to a hacker. All data—whether stored in a database, on a mobile device, or a desktop computer in the office—should be included in these efforts. Unfortunately, Information Week’s 2012 Data Encryption Survey found that just 33 percent of IT professionals protect their databases this way, and less than half have used encryption for data on mobile devices[5].

In addition to protecting data from external threats, organizations should have measures in place to avoid data breaches that begin on the inside. These can occur in several ways. In some instances, an individual with access to information will be manipulated into releasing information to cybercriminals who are pretending to be someone else. Although only 7 percent of data breaches in 2011 were a result of this, the incidents were responsible for compromising 37 percent of the 174 million records that were lost. A recent close call is illustrated by the hacking of the New York Times’ computer systems, reported by the paper on January 31 2013[6]. The Times speculates that a phishing scam involving emails containing malicious links allowed hackers to infiltrate the computers of 53 employees and remain there for four months. Although no customer data was stolen, the incident makes it clear that any size organization is at risk for a breach. Internal data breaches can also occur when employees purposefully release corporate, client, or customer data to unauthorized individuals. To avoid a potential disaster, organizations should install firewalls that can monitor and filter outbound traffic. Thus, whether the cause is human error or malicious intent, data can be stopped before it reaches someone on the outside.

Safe and Sound
Keeping data out of the hands of cybercriminals is extremely important for any organization. By learning more about privacy policies, BYOD risks, web threats, and methods for keeping internal data safe, organizations can better understand the need for a variety of security measures and can more easily prioritize their implementation. Once all members of an organization are compliant and security measures are up to date, businesses can better protect private data from being mishandled internally or accessed by external threats.

Justin Hadler is Director of Engineering at Hardware.com in the U.S., a global leader in networking hardware, architectures, procurement, and support. Hardware.com’s team of experienced and distinguished consultants partner with companies to identify, implement, and support advanced network infrastructures that align companies’ technological requirements with their business and economic goals. For more information, please visit http://us.hardware.com.

 


[1] http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z037

[2] http://www.crn.com/slide-shows/security/240124895/6-corporate-byod-stats-to-worry-it-professionals.htm

[3] https://www.privacyrights.org/node/55227

[4] http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z037

[5] http://reports.informationweek.com/abstract/21/8628/Security/research-data-encryption.html?cid=pub_analyt_iwk_20120130

[6] http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?pagewanted=1&_r=0&ref=todayspaper

Share