Skip Links | Site Map | Privacy & Cookies

BlogSpot: Securing your confidential data from 'Bob'

David Martin

About the author

David Martin David is a Managing Director at Cyber Sentinel, a specialist in delivering solutions that mitigate against the risk of next generation cyber threats and data exfiltration. During a career spanning more than twenty years he has experience of working with and for some of the IT industry's largest and most influential organisations including the likes of IBM, SAP and Compuware. David has a number of other interests including a Directorship at The Technology Alliance, a business that adds the critical sales and marketing skills growing tech companies need to bridge the gap between early product innovation and long-term commercial success.

I speak to lots of small and medium sized businesses and many are confused and frustrated about the amount of well meaning advice they receive - often from people like me - on matters of information security. So much so that the issue is often and understandably pushed down the to-do list in place of seemingly more obvious priorities.

I come across two common prevailing views. The first is that information security is only an issue for big business whilst - secondly - even those who do recognise it as an issue mistakenly believe that they have sufficiently robust procedures and technology to deal with it.

I spoke recently with - let's call her - Jenny. Jenny is responsible for, amongst other things, matters of IT including how she ensures critical information isn't lost or sent places without authorisation. I asked Jenny "how do you know what information is leaving your business on flash-drives or email and how do you stop what shouldn't be leaving? How do you maintain security when laptops and smartphones are off network; say in an aircraft at 30,000 feet?"

Jenny told me how she locks down USB ports - although not for everyone - and she can review email on the Exchange server although the aircraft scenario had her stumped. And companies like hers don't have data worth stealing anyway. Locking down USB ports needs to be universal to be even partially effective and a busy manager spending hours checking email logs? Really?

What Jenny misses is that even the smallest company has information that represents hard cash to competitors and criminals: credit card details, customers' names and addresses, or the designs vital to an innovative start-up - all these have a value to - let's call him Bob - the cyber criminal.

Bob knows that a smaller business can often be an easier way of reaching the larger firms whom they supply. These same larger firms are becoming acutely aware of the vulnerabilities that exist in modern global, hyper-connected and highly extended supply chains and evidence suggests that these firms are starting to vet suppliers on the risks they pose.

So who exactly is Bob? Bob could be an uber smart, faceless cyber criminal looking to hack your critical data. More likely though Bob's probably a malicious employee looking to make some commercial gain from the access he has to your confidential data. He might simply be negligent staff member with the potential to do something innocently silly or to become an exploit point for someone with more criminal intent. Whatever, Bob represents what has become to be known as the Insider Threat.

So how do businesses without huge IT budgets and access to specialist skills protect themselves from Bob? Your company's Firewall won't help as Bob's already on the inside so you need something affordable and effective that looks out for Bob, prevents him from doing something malicious or negligent and supports a quick and effective response to a data integrity breach.

Solutions tend to fall into a handful of key areas and businesses need to decide which ones - if not all - provide the right level of protection for their own particular situation.

The first fall into the camp known as Data Loss Prevention. DLP solutions have been around for some time but typically require lots of hardware with a big price tag affordable only by those with a correspondingly big budget. A limited number of solutions for small and medium sized business have emerged recently which provide sufficiently robust security for those needing to stop sensitive data leaking vial email, webmail, IM, USB or other means. The best of these also don't require any additional hardware.

Another key requirement in today's increasingly mobile work is the ability to secure or recover lost or stolen laptops - or at least the data on them. Good solutions in this category will allow you to geo-locate and track lost or stolen devices, remotely retrieving or deleting critical data. The very best in this category will also extend the capability to the monitoring of smartphones. These solutions allow you to potentially track calls and inbound and outbound photos, SMS and email.

Most organisations should also consider some form of Employee Monitoring; an effective facility to record and block inappropriate activity, eliminate liability and audit current and historic user activity. Web Filtering is a related technology and the best solutions offer a full function filtering capability to ensure only appropriate content is viewed using company devices no matter where the computer goes and without any additional hardware.

As well as the obvious security benefits of deploying some or all of these solutions the additional audit capabilities inherent in all should not be overlooked in terms of potential litigation arising from computer misuse.

Lancaster University cannot be held responsible for any activity by its Association Members. We display information from InfoLab21 Associate Companies on our site and we are not responsible for the content or privacy polices of InfoLab21 Associate Companies' sites, nor for the way in which information about them is treated.

Tue 27 November 2012