By Daniel Hains
Resist “Bring Your Own Device” (BYOD) situations for all employees. BYOD translates to TMDWY (“Take My Data With You”).
The value of confidential intellectual property to any business is extremely high.
Often business owners are not aware of how vulnerable they are until an instance of electronic theft actually occurs. Implementing simple controls as well as establishing a policy on data use in relation to valuable, sensitive information can go a long way towards managing this risk area and ultimately preventing data from being lost from your business.
The intangible nature of intellectual property presents difficulties when compared with traditional property like land or goods. Unlike traditional property, intellectual property is indivisible – an unlimited number of people can “consume” an intellectual good without it being depleted.
Two main threats to your electronic IP:
- Internal – loss of data due to theft by former employees; and
- External – threats of data loss from external sources (e.g. ransomware)
Vincents computer forensic experts have practical, in-depth experience and specialise in assisting clients with tracing these types of matters and providing advice on how to protect against theft.
Current sources of data loss
- Major source of data theft until the widespread arrival and use of USB disks;
- Previously easy to trace using exchange servers;
- Now becoming prevalent again due to use of webmail, where data is external to the local network and accessible from anywhere.
- Ransomware is often delivered through malicious email attachments or emails with links to infected websites. Do not open any email that you are not 100% certain of the source, no matter how legitimate the email may seem. Even then, consider whether the website link or attachment itself could still be compromised. At a minimum, keep operating systems and antivirus software patched and up to date.
- Businesses have lost entire client databases to USB disks kept in staff pockets.
- This is perhaps the most prevalent method by which business experience data leakage and theft;
- Although often thought to be difficult to detect, in fact, forensic analysis reveals traces left in the computer registry, such as; link files, disk history, serial numbers and dates all assist with tracing theft.
- Cloud / data sharing apps have now been readily accessible for quite some time. These apps are characterized by their ease of use and difficulty in blocking and tracing;
- Forensic analysis identifies installations on staff workstations, often with traces of recent shared files;
- However, data shared across these apps is difficult to comprehensively identify and becomes a ‘genie out of the bottle’ situation.
Protecting business/corporate data
The goal of any data security strategy is Prevention – be aware of what and where your sensitive data is and identify the risks. What would you lose if those files were lost or shared?
- Tracing an occurrence of data theft is difficult and requires expert assistance.
- Actually retrieving sensitive, stolen data is expensive and sometimes close to impossible. Too often, I am engaged too late after the fact.
The cliché of Prevention being worth an ounce of cure is entirely applicable here.
- Spend time on constructing and enforcing a strong IT data policy that works for your business model and requirements.
- You don’t necessarily have to completely lock down your IT infrastructure, but take steps to identify and manage the risk of data leakage and theft. Completely removing USB disk access or cloud apps is possible, but may make a network difficult to use.
- A policy on responsible data use gives you swift recourse in the event of suspected theft
- Educate all employees to make them aware of the policy. In 99% of cases, the human is the weak link in a computer network.
- Take advantage of applications and providers that offer two-factor authentication. This works by sending you an SMS, or generating a code on your phone, with a second unique password that only works for a short time for that particular instance. This way, even if your password was compromised, access would still be impossible without the second authentication token.
- Best practice, use a password manager application to generate and store your passwords for you. These can typically be set up to generate a complex, lengthy password and store that along with your username so that any time you visit a site, the details can be retrieved and entered for you by the application. It goes without saying that the password used to secure the password manager needs to be equally complex, but this is only one password you will have to remember yourself.
- Use complex, unique That is, don’t use the same password for more than one application or website. In the event that one of your passwords has been compromised, that password won’t be able to be used to breach any other applications you use.
- Restrict access to important data to only those who require it for their duties;
- Place controls on important/sensitive files, such as;
- making files Read-Only;
- encrypt data on portable disks;
- place restrictions on printing or editing a file.
- Use application monitoring for sensitive information – especially where a cost / benefit analysis justifies their application;
- If cloud-sharing apps are preferred, avoid the simple personal-user accounts and instead obtain a professional level licence (often for low monthly cost). These higher-level licences provide superior file tracking, management of users’ permissions and file use logging;
- Resist “Bring Your Own Device” (BYOD) situations for all employees. BYOD translates to “Take My Data With You”. Once the ex-employee has departed with your sensitive data, you will also lose valuable, incriminating evidence that you need to rely upon later;
- If you suspect an acrimonious departure, secure the staff workstation and phone and have them properly imaged – insurance against future loss.
Consider professional assistance with enforcement
If you think that you have suffered a loss as a result of theft of data or a similar action:
- Resist the urge to try to investigate yourself – this could alter important evidence and won’t be able to be relied upon later;
- Remember the policy and controls that you put in place – any breach may be enough for action against a current / former employee;
- Securing ex-employee data (discussed earlier) can be the difference when action is necessary later on;
- Important to make a decision on enforcement sooner, if possible.
An Important Message
While every effort has been made to provide valuable, useful information in this publication, this firm and any related suppliers or associated companies accept no responsibility or any form of liability from reliance upon or use of its contents. Any suggestions should be considered carefully within your own particular circumstances, as they are intended as general information only.