/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsInformation is the life blood of every organization, and must therefore be prevented from being leaked or getting into the wrong hands. This task is becoming increasingly tougher thanks to so many different communication channels that are available today for an organization to interact on. Some of the newer ones include social networking sites, mobile phones and other mobile Internet devices, and your own portals. Plus of course, there's the good old email, chat, and USB drives. There are numerous ways by which information can be leaked out from each of these channels. So much so that basic solutions like Firewalls, anti-virus and anti-spam software are just not sufficient to safeguard information. This calls for a strategy to prevent data loss, which comprises of a mix of policies and IT solutions to safeguard your data. Before getting into the solutions, let's understand how these channels can be compromised.
/pcq/media/post_attachments/82dfcbeb467a9d576790ff8885d9724b7fa3c3af01148c09c53cea71de640e8a.jpg)
Information leakage: some
examples
Most organizations these days allow and in fact encourage their employees to use social networking sites so that they're more productive. For instance, organizations often encourage their employees to write blogs so that they can recognize talent and understand what employees at various levels are doing. Similarly, they'd like employees to use various social networking sites for various reasons. While the intent here is very much positive, there are negative implications of allowing access to social networking sites and blogging as well.
The infamous blogger: For instance, what would you do if any employee writes something negative about your organization in a blog, or an ex-disgruntled employee tweets negatively about your organization? As a result, your organization's credibility gets affected and there's loss of reputation and business. What do you do? Should you penalize the employee who wrote that blog? How would you deal with the ex-employee?
The Innocent Tweeter: Let's take another case. What if an employee unknowingly reveals on Twitter details of a confidential project that your organization is working on? For all you know, the employee was only trying to boast of his own achievements in the project, and shared the details unknowingly. As a result, your competition managed to discover what you're working on and mis-used it against you. Can you really blame your employee for his/her actions?
Hardware theft: I'm sure every organization today would have lost a laptop or two at one point of time or another. At that point of time, the price of the laptop is less important than the data on it. Unfortunately, you can't really blame anybody for this loss, because it's seldom done intentionally. But hardware theft forms a potential channel of data leakage.
Open ports: USB has become the most important port on any system today, because just about every external device connects through it. The biggest concern with this port from a security standpoint is with the USB storage devices. An employee could simply connect an external USB storage device, copy all the data and take it home or share it with others.
Web app vulnerabilities: Somebody injects an SQL code into an online customer registration form on your portal, and manages to gain control your back-end database. Somebody puts a cross site script on a web browser and hijacks your customer's session. These are just two of the many different types of attacks that have emerged for websites these days. The more feature rich your online web portal, the higher the number of vulnerabilities it would have that can be compromised. You obviously need proper security measures to counter such threats.
Policies to counter information theft
There's no clear yes or no answer to any of the above questions we put up on information leakage. What's required therefore, are clear policies on what your employees can and can't do on the web; and the action that the organization can take in case of a breach. These policies have to be clearly communicated to each employee and then enforced. Moreover, this is not a one time process. You can't for instance, give a one-time training about the security policies and then expect the employee to remember them forever. Intimation about your company's security policies has to be a continuous process, with clear communication going out from time to time to all employees. If this doesn't happen, there's bound to be a conflict between the IT department and employees.
Strategy to measure security
A strategy to prevent information theft is indeed important, but equally important is the need to measure how secure is your organization. You might have deployed a lot of security solutions, but how do you really measure their effectiveness? Where are the gaps? Unless you know that, you can't really close them.
The solutions
There are plenty of solutions that are available to prevent information leakage and mis-use. You can for instance, lock the USB ports on your systems to prevent data from being copied and taken outside the organization. You can encrypt entire hard drives or specific files and folders to that even if that data is stolen, the information can't be mis-used. There are solutions to protect your portal against security threats. You'll have to combine these solutions with the right policies to prevent data leakage from your organization.
In the pages to follow, we've talked about the solutions and strategies for implementing information security effectively in your organization.