Data leaks are a common scenario regardless of the size of the organisation. The challenge is how one can overcome this in a safe, efficient and cost effective way, to prevent the same scenario from repeating in future. Today, with the work environment taking a drastic change, data goes on laptops or smart phones employees carry. Servers are protected against external attacks using detection systems, firewall, malware scanners etc. They may even deploy identity management systems that audit and manage the activity of users on their networks.
But when it comes to portable devices, most IT managers do not know where to start. It’s the endpoints of the network where enterprises are most vulnerable to data leakage.
There are a number of risks organisations are exposed to as far as endpoints are concerned.
- Theft of confidential information due to accidental or deliberate data leakage.
- Failure to comply with industry safety standards, taking endpoint protection lightly.
- Loss of sensitive customer or employee data that can lead companies to legal liabilities.
- Accidentally deleting critical data.
- Irreplaceable damage done to the company image.
The list is endless. Establishing corporate policies without really enforcing them doesn’t do any good. A comprehensive top down approach is needed.
Fortunately, there are practices that can mitigate the risks and enable endpoint security for the organisation. These practices involve knowing what devices your organization uses and what data it needs to protect, developing policies that fit each role in the organization, and implementing tools that allow you to audit and enforce the policies without restricting employees’ productivity.
1. Hardware Inventory:
Make a conscious effort of auditing all the hardware and storage devices available in the organization. Automate a software process of scanning each device on your network, identifying every device that’s ever been connected to it. This information will help you set policies for each device, educating employees on what device is applicable to what protection and what kind of information they can store on it.
2. Identify and label sensitive data:
Organisations need to clearly assess all the information flowing around the organisation and clearly understand what information is “critical”. Data like company financials, HR records, social security numbers, customer accounts etc are some examples of data that can qualify to be sensitive. Scan each of these files on network drives and client machines, clearly labelling it as confidential. To full proof this, use software that can offer real time scanning of documents as they are opened or integrated with content filters used to scan outgoing emails for leaks of proprietary information.
3. Establish hardware policies:
As the hardware audit has been done, now the organisation can decide what type of hardware will accept what data and what data will be restricted. Again, this will vary on the role and responsibility of the person using that device. As the data has been labelled in terms of sensitivity standards, a good start would be to store sensitive data on encrypted devices. Endpoint security policies must also determine what kinds of smart phones and portable storage devices are allowed to access the network.
4. Define data usage guidelines:
As every individual in the company is working on different data and different storage devices, it’s very important to establish guidelines as to what kind of data is portable and how it is treated. Some files may be read only, some may be encrypted, and others may be off limits for all but authorized personnel. Such policies must be comprehensive enough to protect your organization, but not so restrictive they impede employee productivity. For that reason, many large organizations choose to monitor and log access to sensitive files rather than block them outright
5. Centralized management system:
Policies alone won’t make your endpoints secure. You need to ensure that they are appropriately enforced. Network-based data leak prevention systems like EVAULT can detect activity at the port level on every machine connected to the LAN, as well as WiFi connections. They can log all attempts to copy or manipulate sensitive files, alert employees who are attempting to read or modify confidential data, and enforce policies – such as only allowing sensitive data to be copied to encrypted flash drives. With Evault, you can even track when users are offline. However, be sure that whatever system you choose integrates into LDAP-based directory services such as Microsoft Active Directory.
6. Top down approach:
As data protection is no longer mission impossible when guidelines are full proof, organizations must perform a thorough risk analysis and establish a security hierarchy. Start from the top clearly identifying personnel who travel with sensitive data and lock them down before moving to the rest of the organization.
7. Train your employees:
The best defence against data leaks is a well informed workforce. Employees need to be educated on how to avoid data leaks and report any loopholes they may come across in the long run. They should be aware of the compliance frame work the company operates at.
8. TEST! TEST! TEST!
You cannot know if your endpoint security system is working until you test it – preferably via a third party firm that can probe for weaknesses your IT staff may not have considered and improve the system.