On almost a daily basis the media share stories of confidentialinformation being disposed of in park bins, laptops being found intaxis and passwords being published on the Internet.

While this is undoubtedly concerning, the findings from a globalsecurity study on data leakage have revealed that the data lossresulting from employee behavior poses a much more extensive threatthan many IT professionals believe.

Historically, data was deemed secure within the physicalperimeter of an organization; however, technology continues tochange the landscape on daily basis. Take, for example, a 4GB keyring-sized USB device capable of storing 10,000 word documents.These USB devices make it easier for data to trickle out beyond theperimeter. The changes in technology and Internet usage make it anear-impossible task for data security to be the responsibility ofone or selected members of staff.

Careless Whispers

Data leakage through hackers exploiting known vulnerabilities iswell publicized. Less so is the threat from employees discussingprojects on trains or in airport lounges unknowingly providingcompetitors with confidential information.

Deterring the discussion of sensitive information in public isby no means a new idea – the World War Two “Loose Lips and CarelessTalk” propaganda posters clearly convey the message. Although thethreat today may not seem as tangible, consider the implicationsfor a small company who lose a key project after a competitorhappens to eavesdrop on a conversation.

Protection, Protection, Protection

Data capture by hackers can occur through employees usingunapproved applications on corporate networks. Personal emails arethe most common application followed closely by online banking andshopping. These applications pose a risk as they are rarelymonitored and non-compliant with company security standards.

The risk from employees occurs where they use laptops or smartdevices to access company information. There is the risk that thesedevices will be left on a train for example. Whilst access to mostcompany laptops is protected by username and password requirements,all too often smart devices, e.g. iPads or BlackBerrys, areunprotected and the information on the device can therefore beaccessed easily.

There are a number of steps that can be taken to tackledata leakage, including:

• Create training that is suitable and applicable to theemployees – one size does not always fit all;
• Establish and maintain a culture of data protection, thisincludes everyone having personal responsibility;
• Continuously evaluate the risk and changes to circumstances tomaintain an understanding of the threat;
• Enforce encryption on mobile devices and only authorize use ofsmart devices if they have password protection;
• Provide tools that enable data security including regularawareness briefings – verbal and written;
• Ensure security policies are appropriate, communicated andenforced – keep them simple and universally comprehensible;and
• Executives and senior management should serve as an example ofdata security good practice.

There is no magic pill or single solution to data leakage as thethreat is often executed by individuals who may not understand theimplications of their actions. Therefore the challenge is to makethe awareness understandable and memorable, resulting inopportunities for leakage to be reduced and media stories of peoplemislaying laptops or smartphones avoided.

Mike Howieis an information security consultant with CS Risk Management inBracknell, England.