How You Can Help Prevent Data Leaks
Data leakage is a serious risk for many businesses. It can occur as a result of the third parties’ intent or the negligence of employees.
Intentional leaks are committed with two goals: the first is to harm the state, society, or a specific company, a goal characteristic of cyberterrorism; the second one is to gain a competitive advantage.
Unintentional leaks are most often caused by the negligence of employees, but they can also lead to serious negative consequences.
Creating a system for protecting data assets from loss in all types of companies should be done on a professional level, using advanced software tools and technical means. To prevent data loss, it’s essential to locate leakage channels and find ways to block them.
Moreover, there has to be a clear understanding of modern security system requirements.
Data Leakage and Interception
The difference between leaks and interception is a matter of terminology. Interception is an illegal method of acquiring data using technical means such as when data is hacked. This can be prevented by a good web developer with a strong understanding of a combination of security practices and having advanced knowledge of SQL.
Data leakage is the loss of information when it spreads through communication channels and physical space for all types of reasons, including interception and redirection. Data leakage created intentionally through technical channels implies the installation of various devices, which intercept it on the way of distribution.
This term is used more often in the professional sphere, in practice the definition refers to all types of data leaks based on both human and technical factors. Illegal recording of data, containing legally protected information, on external media and transferring it outside the corporate space is the most common type of data theft.
Modern DLP systems are now configured primarily to address threats posed by insiders rather than an external intrusion.
An example of such a situation was when Google Corporation sued Uber, which had hired a former employee of the company.
The top manager inappropriately copied almost all of the data related to the development of an unmanned car under his supervision. The security system in place at one of the world’s largest corporations was unable to prevent the data theft committed by one of its top executives.
At the same time, legal prospects for compensation for the harm inflicted are murky, since there was apparently no agreement between the company and the employee defining the mechanism for compensation in such a case.
It was Uber that was chosen as the defendant, becoming the beneficiary of the data theft. The files may have been returned, but the information contained in them may have been used to create a competitive advantage.
This case shows that regardless of the company’s level, the risk of losing data is equally serious for everyone.
Entities at Risk
Based on the above criteria of protected data, there are several types of business entities at risk of data leakage:
- Commercial and scientific organizations, nonprofits, and organizations that work with information that constitutes a state secret, such as those fulfilling a state order;
- Organizations possessing information, which could be necessary for criminal organizations to commit terrorist acts or which is inherently a target of terrorist attacks;
- Organizations operating in the financial services market, possessing data regarding the accounts and finances of their clients, as well as their bank card numbers;
- Organizations working with large amounts of personal data, which often fall prey to hackers, and enter the open market;
- Organizations that use advanced technologies and know-how in their work;
- Any organizations operating in competitive markets where available data about technology, markets, customers, strategies, contracts will be a way to gain an advantage in the competition for customers;
- Organizations where there are disputes over ownership redistribution or those that are targets of raiders (“hit-and-run” attacks). In this case, data theft may be ground for audits or legal action.
All of the above-mentioned organizations need to make maximum use of available methods to prevent information leakage, since, apart from direct damage to the entity, the damage may be also caused indefinitely to a wide range of people. In some cases, a company may be held liable for failure to take protective measures.
Every channel of information leakage should be analyzed in terms of security and protected as much as possible.
Technical Methods of Data Leakage
There are four main groups of technical methods of data leakage:
- Visual channels allow interception or copying of data reflected in visual form, e.g. documents, data on a computer screen;
- Acoustic channels make it possible to intercept conversations taking place indoors or phone conversations;
- Electromagnetic channels make it possible to obtain data in emitted electromagnetic waves, decoding of which may also provide access to the necessary data;
- Tangible channels are related to the analysis of items, documents, and waste resulting from the company’s activities.
In each case when a technical leakage channel is used by competitors, the most advanced methods of obtaining and processing information are applied, and the very knowledge of the existence of such opportunities should help to reduce the level of risk.
To completely eliminate the latter, it’s necessary to communicate with professionals who will identify the most valuable data sets for possible attacks and offer a full range of protection.
If your computer’s screen or part of documents can be seen through the window, there is a risk of leakage. Any light stream coming from the information source can be intercepted. Simple technical means should be used to combat this in most cases:
- Reducing the reflective characteristics and illumination of objects;
- Installation of various barriers and camouflages;
- Reflective glass usage, etc.
However, there is also a more typical risk: taking documents out of the room to photograph them, other forms of copying, screenshots of database screens containing important information, and other ways.
The main measures to combat these risks relate exclusively to the administrative and organizational sphere, although there are software tools that, for example, do not allow you to take a screenshot of data displayed on a computer’s screen.
Information that exists in the form of sound is the most unprotected against interception and leakage. Sound, which is in the ultra-range (more than 20 thousand hertz), spreads easily. If there is an obstacle in its way, the sound wave causes oscillations in it, and they will be read by special devices.
This should be taken into account at the stage of designing a building or office, where the architects should think over the layout of premises to exclude data leakage. If this method is not feasible, it’s necessary to turn to technical means and use sound-reflecting materials, such as porous plaster, to decorate the room. Stethoscopes are used to assess the degree of security.
Acoustic information leakage is also possible with the use of dictaphones during negotiations. Special devices should be used to detect their presence. Installation of devices for voice signal extraction on telephone sets (bugs) is practically not used nowadays, digital traffic is intercepted in other ways, including via phone operator or Internet provider.
This degree of risk should also be taken into account, perhaps by creating special instructions about the sensitive information that can be discussed by phone.
However, data transmitted via the Internet is available for interception. Here the fight against its theft can be performed by both hardware and software technical means.
Ways to Prevent Data Leakage
To effectively protect against all of the above leakage methods, you need to develop a system of security measures, which includes two main groups of actions and measures:
- Administrative and organizational measures;
- Technical and software measures.
Both first and second groups of measures require obligatory consultations with professionals before their implementation, especially if your company intends to obtain a license to work with confidential data from the state.
The technical means used must be certified and allowed for circulation by the state; it’s unacceptable to use either untested or prohibited means belonging to the category of “spyware” in order to protect information. The protection of data must be based only on legal methods of counteraction.
A security system must be designed comprehensively, relying on organizational measures as its basis. All of its elements must constitute an integrated system, monitored by competent personnel.
Design Principles for Security Systems
There are a few certain principles, on which a comprehensive security system of measures for protecting confidential data against leaks should be based:
- Seamless system operation. Used methods of protection should control all material and data perimeter 24/7 to avoid any gaps or decrease in the level of control;
- Multi-zone protection. Information should be ranked according to its importance, and different levels of impact should be applied to protect it;
- Prioritization. Not all information is equally important, so the most robust protective measures should be applied to information of the highest value;
- Integration. All system components must interact with each other and be managed from a single control center. In case it’s a holding company or a company with several branches, it’s important to set up the management of data systems from the head company;
- Duplication. All of the most important blocks and communication systems should be duplicated so that in the case of a breakdown or failure of one of the protection links, it’s replaced by the other.
It is not always necessary to build such a level of systems for small trading companies, for large companies, however, especially those cooperating with a state customer, it’s a vital necessity.
Administrative and Organizational Measures
The head of the company as well as one of the deputies, responsible for the security service, shall be liable for the observance of administrative and organizational measures. Almost 70% of the total amount of information security depends on administrative-technical measures.
This is due to the fact that in the activities of commercial espionage services, the use of bribery of employees is much more frequent than the use of special technical means of stealing information. The latter require high qualification and information disclosure to third parties who are not directly involved in the competitive struggle.
All of the organization’s regulations regarding the protection of trade secrets and other data must comply with the most stringent requirements for similar documents, required to obtain a license.
This is due not only to the fact that they are the most elaborate but also that the qualitative preparation of this type of documentation will enable the company to defend its position in court in case of any disputes regarding data leakage in the future.
Working with Company Staff
The personnel is the weakest link in any system of data leakage protection. This leads to the necessity of paying maximum attention to work with your employees. For companies working with state secrets, there is a system of security clearance. Other organizations need to take various measures to ensure that their ability to work with confidential data is limited.
It’s necessary to make a list of information that constitutes a trade secret and draw it up as an appendix to the employment contract. Access systems should be developed when working with the information contained in the database.
All copying and access to external emails must be restricted. All employees must be familiarized with the instructions on how to work with confidential information and confirm this with signatures in the logs. This will make them responsible in case of any eventuality.
The access system in place should not only require recording the data of all visitors but also cooperate only with security companies that meet all security requirements. The situation when a PSC employee on the night shift has access to passwords can be just as dangerous as a professional hacker’s attack.
Working with Counterparties
Quite often, the culprits of information leaks are not the employees but the company’s counterparties. These are numerous consulting and auditing companies that provide services on developing and maintaining information systems.
The same danger is posed by now widespread cloud CRM systems that offer cloud storage services. With a minimum level of responsibility for the safety of data entrusted to them, no one can guarantee that the entire customer database will not instantly become available to competitors. This is a serious risk.
When choosing between server-based or cloud-based programs, the former is more beneficial. According to Microsoft, the number of cyberattacks on cloud resources has increased by 300% this year. And it’s just the beginning.
Technical Means and Prevention Systems
To protect data from leakage or theft, it’s necessary to use a wide range of hardware and technical measures. Modern technical means are divided into four groups:
This category of security features is used as part of the implementation of planning and architectural solutions. They are devices that physically block the possibility of unauthorized entry to protected objects, video surveillance systems, alarm systems, electronic locks, and other similar devices.
These include measuring devices, analyzers, technical devices allowing to determine the location of the embedded devices, everything that allows to reveal the existing data leakage channels, assess their efficiency, identify significant characteristics, and the role in potential or occurred data loss.
These can be field indicators, radio-frequency detectors, non-linear locators, equipment for checking analog phone lines, etc.
This is the most significant group since it allows you to avoid intrusion into information networks by unauthorized persons, block hacker attacks, and prevent data interception.
Among them, special software providing system information security takes a prominent place. These are DLP and SIEM systems, most often used to create mechanisms of complex information security.
DLP (Data Leak Prevention) systems provide full protection from loss of confidential information. Such data leakage prevention tools are usually complex systems, controlling and monitoring changes in documents and the movement of more sensitive data within a company.
Today, they are configured primarily to deal with threats within the perimeter, i.e. coming from users of the corporate network rather than from outside.
They employ a wide range of techniques to identify data loss points or conversions and can block any unauthorized intrusion or data transmission by automatically checking all communication channels.
They analyze user email traffic, local folder contents, and correspondence in messengers, blocking attempted data transfers if detected.
Here are a few powerful DLP systems developed for reliable data security you might want to consider for your business:
- McAfee Total Protection for Data Loss Prevention. Even during the installation of this intelligent DLP system, you will realize that McAfee is a one-stop solution for deep, forensic data analysis. This tool will suit those companies that do not have specific corporate rules. McAfee can locate, tag, and prioritize sensitive data, as well as ensure equal protection across all your IT infrastructure. This is highly beneficial if you plan to implement data protection strategies. McAfee has everything for in-depth analysis of internal and cloud-based apps, as it has a perfectly developed set of tools for effective leak identification, which is very convenient.
- Check Point offers a less complicated DLP system that includes a few cybersecurity processes to prevent data leaks for all types of companies. It implies a single console with educative measures to teach users how to respond to incidents fast. You can expect automated alerts, pre-configured rules (which can be customized if you have tech knowledge), and a free online demo to test the features.
- Digital Guardian Endpoint DLP is designed to work with all popular OS, including Windows, Mac, and Linux, which can be really beneficial if you have several desktop systems with the company. The DLP system is all about flexibility and scalability – you can deploy it on-premise or as a cloud-based system, or as a hybrid for both! You can expect perfect scaling, several great add-ons (e.g. advanced encryption), and a demo!
SIEM systems (Security Information and Event Management) manage information flows and events in the network, and by “event” we mean any situation that can affect the network and its security. When such an event occurs, the system independently proposes a solution to eliminate the threat.
SIEM systems collect data from various components of the IT infrastructure and analyze security events in real-time. They also help respond to such events before any significant damage occurs. For example, you can try Datalog, Solarwinds, or ManageEngine.
They all have free trials so you can test them at no charge.
Network Intrusion Detection Systems (IDS/NIDS) monitor the data perimeter and report possible threats to the administrator. You can try Suricata (free) or Zeek.
Intrusion Prevention Systems (IPS). In addition to monitoring and alerting, these systems can also take active steps to block emerging threats. As an example, you can try Trend Micro, Cisco, or Darktrace. There’s also Snort (free).
Software tools can solve individual problems or provide integrated security of computer networks. The most advanced complexes can prevent unauthorized distribution and copying of document sets or their parts, as well as instantly inform responsible employees when someone performs any suspicious actions with the documents.
Unfortunately, even such powerful information security methods cannot provide a 100% guarantee against data leakage. Moreover, the installation and implementation of such systems may involve considerable expenses of the client company.
The thing is that a professional DLP system requires a full audit and analysis of the current document flow, along with its total revision and change. The complex of measures prior to installing a DLP system is usually more expensive and lasts longer than the actual installation and deployment.
Needless to say, the value of confidential information and the real risks of its leakage does not always correspond to such serious security measures.
However, there are many DLP tools that do not disrupt established workflow algorithms in a company and, at the same time, protect information from unauthorized access, copying, or modification.
Preventing unauthorized access to important data, protecting data from hacking and infection from the outside, eliminating data processing errors, as well as providing full control and monitoring of staff activities – these are the principles on which a great number of business data security systems are based.
They have all the necessary functionality to prevent data leaks. Plus, the low cost and ease of implementation make these products an ideal choice for companies seeking to make their business efficient and secure.
Cryptographic. Data and Traffic Encryption
This category provides algorithms to encrypt all information that is transmitted over networks or stored on a server. Even if lost, it will not be of interest to a hypothetical competitor.
The thing is that cryptographic algorithms involve the use of effective codes and technologies, which ensures that even if the transferred data is intercepted by intruders, it still cannot be decrypted.
Research shows that it would take the most powerful supercomputer several thousand years to decipher a 128-bit code (depending on the technology).
Anti-Virus and Anti-Malware Protection
Antivirus protection is an important part of protective measures. The use of anti-virus software, firewalls, and other specialized applications makes it difficult for intruders to access company resources. However, it’s important not only to install these programs but also to update them regularly.
The manual method also works quite well. This is when specialists look through the logs, settings, registry entries, analyze them, and detect suspicious moments (program activity, external connections, etc.).
You should not wait for a serious cyber-attack to evaluate the security of your company’s infrastructure. It’s better to simulate an attack on it in advance to find and close the vulnerabilities in time.
To do this, you should run a penetration test. Penetration testers attempt to gain access to sensitive data by simulating the actions of intruders, and then make recommendations to strengthen data security.
Limiting Physical Access to Hardware
Apart from computers, there’s also storage media. To prevent data leakages from the latter, you can use smart plugs with voice control for computer ports (such seemingly simple details are UL-certified), install locks, use ACS (Automatic Control Systems), and other solutions.
The complex application of the whole range of protection methods can be excessive, thus, to organize data protection systems in the company, you need to think of your own versatile project, which will be optimal in terms of resources.
Most often, data leaks are caused by human error or fraudulent actions of the company’s employees. To reduce risks, you need to be more responsible in assigning security levels and run a penetration test at least once a year to check the level of infrastructure and database security.
For cybercriminals, personal data is rarely the main target of attacks. However, hackers are responsible for almost half of all leaks. A timely security audit, which should include a penetration test, can help protect against them. It’s also important to use security systems that have passed compliance assessments and separately protect information channels.
This guest post was written by Dmytro Sokhach. He is an entrepreneur and the 6-Figure Flipper Club member.