Data leakage? What’s that, you ask? Well, it’s a growing security issue which has at its root, the explosive proliferation of mobile and portable devices and the exponential growth of social networking tools, instant messaging, and external storage devices. Simply defined, data leakage is “the intentional or accidental exposure of sensitive information ranging from personally-identifiable information to protected intellectual property and trade secrets” (Source: Data Leakage for Dummies, Sophos Special Edition by Lawrence C. Miller, CISSP). You can download your own copy here which, if you are involved in enterprise security like I am, I highly suggest you do.
The book outlines six ways to reduce data leakage risks, but I consider only five to be relevant and my order of importance is somewhat different. That probably doesn’t matter in the overall scheme of things as longs as all the bases are covered. Here is my top five in order of most important to least important:
- Device control – policy should be in place to control who is issued mobile devices such as laptops and smart phones based on roles and responsibilities. Policy should also include how staff, contractors, etc. may use removable storage devices such as external hard drives, USB thumb drives, CD/DVDs, cloud storage etc.
- Encryption – laptops should be issued only with full-disk or file-level encryption. Employees who use USB thumb drives to occasionally move data around, or take it home to work on (yes, I know this isn’t best practice, but people do it anyway) should be instructed in the use of security that is normally provided on today’s leading USB storage devices.
- Anti-Virus – it goes without saying that ALL endpoints must have complete anti-virus/anti-malware protection to prevent hackers for accessing sensitive data through trojans and malicious links. Security policies should be implemented in Group Policy and automatically applied to any device connected the network.
- Network access – strict policy should be in place to dictate who is granted access to the network and what level of access they are granted. Traffic in the network should be segmented so it can be monitored and any potentially insecure segments should be locked down tight.
- Application control – User-installed applications increase the risk of data leakage in your organization. Third-party IM, games, VoIP applications, and P2P software should be tightly controlled and if allowed should be thoroughly tested and vetted by the IT department before approval is issued.
These five areas form the basis of a comprehensive security policy to prevent data leakage in your organization. They also apply to your personal information.
Give them due consideration, won’t you?