On almost a daily basis the media share stories of confidential information being disposed of in park bins, laptops being found in taxis and passwords being published on the Internet.

While this is undoubtedly concerning, the findings from a global security study on data leakage have revealed that the data loss resulting from employee behavior poses a much more extensive threat than many IT professionals believe.

Historically, data was deemed secure within the physical perimeter of an organization; however, technology continues to change the landscape on daily basis. Take, for example, a 4GB key ring-sized USB device capable of storing 10,000 word documents. These USB devices make it easier for data to trickle out beyond the perimeter. The changes in technology and Internet usage make it a near-impossible task for data security to be the responsibility of one or selected members of staff.

Careless Whispers

Data leakage through hackers exploiting known vulnerabilities is well publicized. Less so is the threat from employees discussing projects on trains or in airport lounges unknowingly providing competitors with confidential information.

Deterring the discussion of sensitive information in public is by no means a new idea – the World War Two “Loose Lips and Careless Talk” propaganda posters clearly convey the message. Although the threat today may not seem as tangible, consider the implications for a small company who lose a key project after a competitor happens to eavesdrop on a conversation.

Protection, Protection, Protection

Data capture by hackers can occur through employees using unapproved applications on corporate networks. Personal emails are the most common application followed closely by online banking and shopping. These applications pose a risk as they are rarely monitored and non-compliant with company security standards.

The risk from employees occurs where they use laptops or smart devices to access company information. There is the risk that these devices will be left on a train for example. Whilst access to most company laptops is protected by username and password requirements, all too often smart devices, e.g. iPads or BlackBerrys, are unprotected and the information on the device can therefore be accessed easily.

There are a number of steps that can be taken to tackle data leakage, including:

• Create training that is suitable and applicable to the employees – one size does not always fit all;
• Establish and maintain a culture of data protection, this includes everyone having personal responsibility;
• Continuously evaluate the risk and changes to circumstances to maintain an understanding of the threat;
• Enforce encryption on mobile devices and only authorize use of smart devices if they have password protection;
• Provide tools that enable data security including regular awareness briefings – verbal and written;
• Ensure security policies are appropriate, communicated and enforced – keep them simple and universally comprehensible; and
• Executives and senior management should serve as an example of data security good practice.

There is no magic pill or single solution to data leakage as the threat is often executed by individuals who may not understand the implications of their actions. Therefore the challenge is to make the awareness understandable and memorable, resulting in opportunities for leakage to be reduced and media stories of people mislaying laptops or smartphones avoided.

Mike Howie is an information security consultant with CS Risk Management in Bracknell, England.