Five Golden Steps to Stopping the Sabotage of Sensitive Corporate Data
So it’s official then. Men are more truthful than women, and Scots are the most truthful social group in the UK. A recent research by YouGov, and commissioned by Microsoft, found that “22% of UK employees admit to having illegally accessed sensitive internal information such as salary details on their employer’s IT systems and over half (54%) would do, given the opportunity.”
What is of course interesting from the statistics is that 27% of men, compared to 16% of women, admitted to having stolen confidential information, and 25% of Scots admitted to doing it as opposed to only 18% in the Midlands. Which just goes to prove – Scotsmen are the most honest group in the UK! It’s not the stats – It’s how you interpret them.
But this is not simply a cause for some hilarity, but rather is an indicator of a much more serious problem facing every organisation in the UK. There is a legal requirement to protect sensitive data, apart from the fact that the very survival of your business and reputation can rest on the protection of highly sensitive information. And to continue the alarmist message, recent studies by CERT have found that 90% of those that access this information, and who are likely to abuse it are IT professionals. Of course this doesn’t prove that IT professionals are more dishonest – it’s just that maybe they have a genetic predisposition to give in to temptation.
Today organisations, whether in the public or private sector have a duty to safely store, process and exchange sensitive data inside and outside of their organisation in a way that is, preferably, transparent to the user.
There are essentially three broad areas that organisations should aim to address to counter the problem.
1. Basic human errors and negligence
2. Attacks by inquisitive but easily discouraged third parties with possible criminal intent targeting your organization’s data whether it is being processed, transported or stored and
3. Attacks by focused, determined and resourceful employees, and ex-employees, system managers, and third parties with criminal intent specifically targeting secret data when processed, transported or stored.
The third category is the one that by far represents statistically the greatest risk and presents the biggest challenge since it is relatively easy to take steps to combat the first two cases. In the third case, statistically it has been proven that the most damage has been done by those who had the means to access data that did not pertain to them, and who accessed it using system resources that your normal user would normally possess.
It is therefore absolutely essential that adequate controls are put in place to ensure that sensitive data is protected from abuse. Many organisations are under the misapprehension that there is simply no effective method to secure digital assets from systems administrators and therefore simply live with the risk. But the reality is actually the opposite. Many organisations today have implemented solutions that guarantee that no matter how resourceful or determined someone may be, the organisation can remove this risk. At a minimum the following list can serve as a useful guideline on how to do this.
1. Create a secure repository – sensitive data can be stored in a manner that provides the owner complete control over who has access, and where they have to be to gain access. In other words the organisation can immediately eliminate the risk of unauthorised users gaining access from the outside. It also ensures that system administrators are no longer able to access the data even although they may be responsible for managing the system that stores the data.
2. Use effective but manageable encryption – methods that do not require administrative intervention removes the risk of keys being managed by systems staff. Symmetric encryption of data offers a solution that removes the need for human intervention, and eliminates the risk associated with recovering private keys. Data should be stored using the strongest algorithms available in the market, such as AES256 and RSA-2048
3. Backup Securely – Backup is a very critical component, and something that can be abused. It is absolutely essential therefore that any system that is used to backup data should do so in its encrypted form with no regards to the method of backup.
4. Segregation of Duties – There needs to be segregation between system management and data management. Additionally there should be hierarchies within data management, such as dual-control which can enforce checks and balances to ensure that highly sensitive data cannot be accessed unless authorisation has been given. If possible the access to, and responsibility for, data should be devolved to the relevant departments. For example there is no reason why anyone outside of HR should have access to HR data. There needs to be a flexible policy within departments so that users can manage other users who are at the same level or lower than them.
5. Proactive Alerting – By having automatic reporting of user activity, anytime anyone who is authorized accesses a sensitive file the system cannot automatically report this activity. By having this at departmental level ensures that management can identify potential inappropriate behaviour at an early stage since they are aware of the sensitive data under their control, and can thus identify misuse at an early stage
So what’s it to be? Are you going to get to grips with your data security or just hire honest Scotsmen? Doing nothing risks internal sabotage with the associated problems, and there’s only a limited supply of honest Scotsmen.