If you talk to any senior manager today, you’re likely to hear the age old maxim ‘people are my organisation’s greatest asset’. Ask the same question to a CIO or IT manager and the answer will be very different.
Information, not people, is what makes a business operate successfully. Of course, employees are needed to create the information but the data held by a business (customer, competitor and market information, financials, HR records etc) and the protection of this data are key factors in an organisation’s ability to operate successfully and maintain future growth.
It is perhaps then not surprising that data loss are two words that strike fear into the hearts of the IT and security industry, and rightly so. High profile incidents such as the data leak that led to the downfall of HBGary Federal and the leaking of the email database from the law firm ACSlaw, containing personally sensitive information on people involved in their cases, serve to highlight the potential impact of large scale data breaches. While it can be argued that more often than not, these losses are either accidental or as a result of external influences such as hacking, the end result is still the same – major embarrassment to both customers and the company which can result in a damaged brand or in severe cases heavy fines, potential bankruptcy and even imprisonment.
In some industries regulation exists, such as Basel II and PCI DSS in the finance sector or the European data protection directive, which mandates controls over company information. Stringent audits are undertaken to ensure that organisations have the requisite IT systems in place to protect company and individual data. However, despite these regulations, the continuing headlines detailing high profile data losses still act as a warning that more can be done to protect a business’ greatest asset.
With this in mind, it’s not surprising that Information Data Loss Prevention (IDLP) is still high on the hype cycle for information security professionals, with myriad packages available to stem the leakage of data from our organisations. These enterprise solutions generally use techniques to classify data whether at rest (storage), in use (operational) or on the move (network). They then apply policies to decide whether to allow the information to be processed, to challenge the user or simply to log the activity. This can be based on factors such as its classification or the user requesting its use.
However, despite this increased focus on IDLP, there are still gaps in data security processes that, if breached, could have significant consequences. Take the networked multifunctional device (MFDs) for instance. Last year, news outlets in the US and UK highlighted how MFDs can be a hidden risk as the information held on these devices’ hard disks potentially contains valuable and sensitive data.
While standard IDLP solutions do manage the information security risk around the end point, MFDs are often overlooked within an organisation as a potential threat. This is evidenced by the fact that the implementation and administration of MFDs is often handled outside the control of IT and the Information Security team, meaning that the same procedures and policies are not always maintained as for other digital solutions. When you consider that nearly a quarter of security breaches occurred through “paper based records” (Ponemon Institute, LLC, February 2008), you can understand the level of risk to which organisations are exposing themselves.
These devices are frequently shared across departments, teams, projects (and even across companies in some 'managed office' providers) so the risks are extremely high. They can run email, file transfer (ftp), web and eFax servers but often are not controlled to the same degree as corporate email servers or company web servers.
To highlight the potential threat, picture this scenario. Anyone with access to such a device could copy a document left lying around and send it out of the company (by eFax) without using a PC or networked server, completely bypassing existing DLP solutions – either deliberately or accidentally. This is not a hypothetical scenario. There has been a succession of high profile incidents of data loss across Europe. Whenever you hear that a private company or public sector organisation has inadvertently shared confidential customer or business records – be it via email or on a misplaced laptop – you understand the need to implement appropriate systems to safeguard sensitive data. For example, eFax systems can recognise sensitive information contained within a document and ask the sender for confirmation. Such smart technology can ensure that embarrassing and damaging incidents of data loss are avoided. It also makes clear that the protection of data must extend to all points that the information touches – and quite often this is the MFD.
Fortunately systems exist today, which help organisations to safeguard business data and information around the MFD, and complete their DLP infrastructure. For instance Canon’s uniFLOW v5 solution uses keyword recognition technology to automatically classify the data in the document processed and decide how it should be handled based on its flexible workflow engine. This provides an effective way for organisations to utilise their existing IDLP policies and controls on these devices which may have been where the leaks usually occurred.
IDLP may be high on the agenda but gaps still exist in organisations’ policies, which need to be plugged. There is no doubt that IT networks are becoming more secure as they are a major focus for corporate security. MFDs, in contrast, have not received such close attention and appear to be more vulnerable to attack. In fact, in many cases MFDs are left completely unprotected and solutions need to be put in place that secure data and improve an organisation’s IDLP policy.
The truth is that unlike a lot of the latest IT systems or fancy acronyms, IDLP is not new. We’ve always kept locked cabinets full of documents, which in itself is IDLP, so defining an appropriate solution can be simple as asking what information are we leaking, how much is it costing us, why does it happen and how can we prevent it.
Protecting your organisation’s greatest asset means looking at the complete flow of information throughout the business. This includes the MFD, which has traditionally been overlooked as potential security threat but which can be protected easily through the deployment of technologies that safeguard business data and information around the MFD.
IDLP can be hard to implement, especially where there is no regulatory driver, but think of it as an insurance policy against the worst case scenario; because a locked cabinet is no longer sophisticated enough to protect your business from substantial data loss and its serious consequences.