Shepherd Or Sheepdog? -How To Enforce Company Policies Designed To Protect Your Data
By Richard Walters, CTO at Overtis
From user passwords written on post-it notes and prominently displayed on computer monitors, to copying files to USB drives to work on at home, your employees’ daily practices can differ markedly from your security policy. These activities aren’t carried out with malicious intent, people are just trying to do their jobs.
Information security usually focuses on protecting against the risk posed by organised criminals, competitors and external agents. This article discusses the insider threat and why good personnel management is crucial to your company’s risk management strategy.
A woolly policy?
In Wales and the Forest of Dean, people have witnessed sheep rolling across cattle grids in order to gain their liberty. This rogue behaviour in the natural world has echoes in corporate risk management. If employees are overly restricted by security procedures they will actively seek workarounds. So are you overseeing your security policy and guiding staff in best practices, or constantly chasing after rolling sheep?
Every day in workplaces across the country employees are unwittingly defying security policy or bending the rules to enable them to get their work done. As a result, a security breach or data loss is as likely to be caused entirely unintentionally, rather than a calculated attempt to steal information.
The transfer of 25 million child support records onto 2 CDs, which subsequently got lost in the post between the HMRC and the National Audit Office, resulted in the most infamous security breach of the last decade. This was a classic example of a junior employee doing what he was told, against government security rules. User education is therefore key.
Educate, Enforce, Record
The most recent Conficker infection caused Greater Manchester Police to have to disconnect from the Police National Database from 29th January to 3rd February 2010, while IT experts cleaned the worm off the network. It is suspected that this was caused by a member of staff plugging an infected USB memory stick into a computer on the Force’s network. Yet it is only twelve months since Manchester Council banned staff from using USB sticks after it was forced to spend £1.2million cleaning up a Conficker infection in January 2009. People have short memories, so it’s important to reinforce your security policies, so that employees remember to follow best practice.
Security management has always involved a balance between safeguarding information and enabling access to employees so that they can get on with their jobs. Where employees feel penned in by security, they will look for ways around it. Security policies need to be enforced by end point technology that reminds staff of company rules, then blocks and records any attempted breaches.
• Consider the risk of rolling sheep - Ensure that you have in place timely staff vetting and revocation procedures. Make sure that new staff undergo appropriate induction in acceptable usage policies before providing access to the network. Former employees should no longer have access to email, the network or mobile computing devices. Casual staff and cleaners should not have access to confidential printed material and workstation use must be monitored outside of normal working hours.
• Knitting it all together - Quantify the data/b] that can be lost and document key user workflows to understand how staff [b]interact with data. Critical assets may contain specific project names, codenames or data types (such as credit card details). If you can restrict access to sensitive data on a need-to-know basis then you can reduce the likelihood of it being leaked and more easily identify the source of any breach in the event that an employee is acting maliciously. Ensure your physical and IT based security systems can talk to one another - link CCTV sequences and desktop screenshots with user logins or entry to secure areas - to provide a visual audit trail of events, creating a highly effective holistic security system.
• Identify cattle grid opportunities - How easy is it for an employee to print out a restricted document, and walk out of the door with it? Can they siphon data out on a USB drive, iPod, smartphone; or attach sensitive documents to webmail? Do you have a policy on social networking? Dialog prompt boxes that ask the user if they wish to proceed, before attaching a sensitive file to an email or printing out a confidential email, could prevent a data breach. Enforce similar rulesets on mobile computing devices to those used on fixed endpoints, only permitting users to view data that matches their access privileges on the corporate network.
• Shepherd your company’s data assets Vault applications are capable of simply encrypting files - ensuring that they are stored, copied or transmitted in a secure format. The value of allowing your staff to work unhindered by security is often underestimated. Enabling employees to encrypt data at the point of creation on the desktop can go a long way towards reaching the balance between usability and security. Individuals are often unaware that their actions constitute a potential data breach. Alerting employees to any action that conflicts with security procedure, or warning them when they access restricted documents, provides a gentle reminder on policy. Solutions that mentor rather than simply blocking activity will be less likely to prompt innocent employees to breach secure working practices. Integrate these dialog prompts with physical security such as CCTV images and access card audits, so that you have a record of who was working on a document at the time the risky activity was flagged up. This can help to identify employees that might need amended access privileges or updated training.
Good personnel management goes a long way towards reducing corporate risk. Using integrated endpoint security, access control systems and CCTV, risk managers can gain complete visibility of the way that staff interact with company data and use this to inform user education, access rights and policy enforcement. As a result, unintentional data loss is prevented and the organisation stands to gain in productivity by enabling staff to get on with their jobs. Meanwhile, IT managers can stop chasing their tails and focus on delivering strategic benefits to the business.