Peter Mitteregger, European vice-president of specialist IT firm Credant Technologies, explains why businesses need to protect their database.
Arguably an organisation's most vital asset is its databases, often containing financial information, customer and employee data and intellectual property.
There have been many articles written that examine the risks posed of data being exposed and the potential damage caused.
In addition, external threats have long been recognised with billions of pounds spent strengthening defences to mitigate against them yet there is little acknowledgment of the very real threat from within. The statement ‘don’t leave your valuables on show’ is a simple principle so why is it often ignored by Corporate UK?
It is proven to be easier to bribe someone on the inside (or even implant them there) to gain access to sensitive data. Leaving this risk aside, how often has someone left your organisation taking company stationary with them?
Do you know what else has been taken? Could they have sneaked out with sensitive material? What about a copy of the entire corporate database? Would you even know if they had?
Let’s be realistic, employees need to have access to corporate data in the normal course of their duties. Increasingly today, this need is 24 hours a day, seven days a week and is not restricted to within the corporate walls or to company owned devices.
It is this need that is opening up one of the biggest and growing weak points for Corporate UK as data is seeping out via unprotected end-points, a significant number of which the company is unaware exist, or they are simply outside the company’s domain, such as private USB sticks or iPods.
It would be prudent to employ a solution that can detect devices trying to connect to the enterprise and sync up with corporate data.
Additionally, if there is no reason why they should need to make an electronic copy of these records, be it to a corporate or personal endpoint such as a CD, a USB/Memory stick, an iPod or even a Blackberry, then they should not be able to do so.
If there is a valid reason why they need to make a copy then it should be force encrypted with a solution that does not impede the system, regardless of the device it is stored to, to ensure the integrity of the data is protected once away from the safe corporate environment.
Another way to identify if an employee is abusing their access rights is if their usual behaviour alters and they suddenly start accessing a greater number of records than usual for longer, or even shorter, periods of time. This could indicate that they are writing the records down in some format to bypass any security restrictions in place.
In the case of a disgruntled employee determined to cause mischief records could be altered, or even worse deleted, thereby damaging the reliability of the data.
Another danger is if an employee wishes to steal a copy of a database and may attach it to an email and send it out legitimately through the corporate gateway.
There have been a few instances of people seeking employment to steal data to order or even for an employee persuaded to divulge corporate secrets for financial gain.
There are some risks that aren’t high-tech and therefore harder to detect and even harder to protect against. For example, the business case for a printed hard copy of sensitive records needs to be strong as an opportunistic may access this and make a photocopy of it, completely undetected!
Another increasingly recognised threat is the mobile employee, justifiably working while travelling; either on the train, in a service station or another location, with someone looking over their shoulder and making a note of material displayed on the screen.
One further, really obvious, risk is writing down and/or sharing passwords. This is a truly naive practice, with no justification, yet it is still widely abused.
The easiest, yet inexcusable, way for data to be violated is by an ex-employee whose access rights have not been timely revoked accessing the network remotely, perhaps initially just to see if they can, and then tempted into taking liberties with this oversight.
Another potentially soft target is a portable endpoint; such as, but not limited to, a laptop, blackberry or USB/Memory stick, that is misplaced or stolen. Should the device be unprotected then any data stored on it is exposed. Additionally, in the case of a laptop or blackberry, it may prove to provide a back door to the corporate network.
* 15 ways to lose your database
1. Employees able to access a database regardless of their need to do so, with sight of complete records including information that they do not necessarily need to see
2. Unrestricted downloading of the database to removable media
3. Employees able to print individual records, or even the full database, in hard copy format
4. Employees able to access records, providing the opportunity to make a written copy
5. Records, or even the entire database, altered or deleted
6. The full database, or individual files, emailed as an attachment
7. The full database, or individual files, uploaded to an external storage facility/website or a hosted document storage and management solution
8. Secure employment for the purpose of having unrestricted access to confidential data with criminal intent
9. Existing employees being coerced into removing data for financial gain
10. Ex-employees who have not had their access rights revoked
11. Photocopy hard copies
12. Over the shoulder screen theft from mobile workforce
13. Writing down, or even sharing, passwords
14. Loss of external or portable media (memory sticks, CDs, laptops, etc) that contain unencrypted information, often during travel
15. Misplaced, or stolen, devices (laptops, BlackBerries, etc) used as a back door to the corporate network
For more information contact www.credant.com