Intro to Data Leakage

Organizations spend years fighting Intrusions, Spam, Trojans & Viruses. Nowadays, these organizations are finding themselves against a new but very dangerous security issue which is data leakage. As per IDC Survey (International Data Corporation which is an international survey and research company) in 2008, It was shown that By March 2008, that about 80% of survey respondent said that one of the big challenges facing them is the Data Security with 50% of them admitting that they had experienced a Data Leakage incident in 2008. It is a big threat facing the organizations. Solutions & Ways should be urgently done to get rid or eliminate the risk of it. The accidental and intentional leakage of data, ranging from unauthorized files to the legally protected personal information and trade secrets, is a risky thing that affects the organizations and its IT environments

Data Leakage Definition:

It is the unwanted, intentional or accidental leak & loss of data related to the organization without the authorization of it. Add to that, it is the compromise of availability or confidentiality of data (electronic or hard copy)

In this blog, I'll be concentrating on highlighting the big role that internal & users' errors play in increasing Data Leakage and putting the company more on risks & threats

Users don't get it (but it's human nature); Employees continue to contribute to data leakage by Byline: M. E. Kabay

"Why don't employees just PAY ATTENTION and FOLLOW OUR RULES?!?"

In 2008, Cisco released an extensive research study on data leakage conducted by Insight Express using 2,000 respondents in 10 countries. The objectives are summarized in the following tasks:

- To Explore how the employees use the company devices including communication services and devices used, personal activities conducted and the extent to which technology and information is shared.

- To know to which extent employees use non-IT approved programs and applications, concern for security issues and actions taken to prevent or uncover potential security breaches.

- To know if the employees are aware of the security procedures as well as how much they know that they are exposing their company to risk.


In the report on the study entitled, "Data Leakage Worldwide: Common Risks and Mistakes Employees Make", the authors concluded that employee mistakes contributing to data leakage included generally the following:

- Unauthorized application use: where it showed that 70% of IT professionals believe the use of unauthorized programs resulted approximatly in around half of their companies' data loss incidents.

- Misuse of corporate computers: where it showed that 44% of employees share work devices with others without supervision and permission to do that.

- Unauthorized physical and network access: where 39% of IT professionals said they have dealt with an employee accessing unauthorized parts of a company's network or facility without permission.

- Remote worker security: where 46% of employees admitted to transferring files between work and personal computers when working from home endangering the company resources & data by doing this.

- Misuse of passwords: Around 18% of employees share passwords with co-workers and even family memebers. That rate jumps to 25% in China, India, and Italy.

Stefanie Hoffman, who is writing for ChannelWeb magazine, analyzed the results in a conventional way, concluding that the key issue is a lack of understanding:

"Overwhelmingly, failure to comply with company regulation resulted from lack of communication. The study found that when IT communicates policies to employees, they often use non-verbal - and subsequently unmemorable - means, such as e-mail, IM and voicemail. As a result, 11 percent of employees said that IT never communicates or rarely educates them on security policies."

There's lots more discouraging information in the report, but it all confirms that users simply are not getting it when we yammer at them about security. So what's a security officer to do?

http://find.galegroup.com.ezproxy.uow.edu.au/gtx/infomark.do?&contentSet=IAC-Documents&type=retrieve&tabID=T001&prodId=AONE&docId=A214585244&source=gale&srcprod=AONE&userGroupName=uow&version=1.0

Data Leakage Worldwide: Common Risks and Mistakes Employees Make by Cisco Systems

In a way to understand the challenges facing businesses in protecting its sensitive information, Cisco conducted a study with employees and IT Professionals around the world. As part of the study, surveys were conducted in 10 different countries that Cisco selected because of the differences in their social and business cultures. In each country, 100 end users and 100 IT professionals were surveyed, producing a total of 2000 respondents. The research discovered that despite the security policies, procedures, and tools currently in place, employees around the world are engaging in risky behaviors that put corporate and personal data at risk. Employee behaviors included:

1- Unauthorized Application Use:

The Use of unauthorized applications on business networks can place sensitive corporate data and employees' personal information at risk. Personal email is considered as one of the most commonly used unauthorized application, followed by online banking, online bill paying, online shopping, and instant messaging. These applications pose a high risk for data loss by an employee or data theft by a hacker because they are often unmonitored and do not use corporate security standards. Employees using these applications also risk infection from malicious sites.

• 78 percent of employees accessed personal email from business computers. This number is approximately double the level of authorized use.
• 63 percent of employees admit to using a work computer for personal use every day, and 83 percent admit to using a work computer for personal use at least sometimes.
• 70 percent of IT professionals believe the use of unauthorized programs resulted in as many as half of their companies' data loss incidents. This belief was most common in the United States (74 percent), Brazil (75 percent), and India (79 percent).

2- Misuse of Corporate Computers:

Many employees knowingly use corporate computers in ways that disobey IT security policies. Examples of such acts include altering the company's security settings and sharing work devices and sensitive information with non-employees. Employees bypassed IT settings to download music, shop online, pay bills, and in some cases, engage in online gambling and pornography. Approximately one fourth of the employees surveyed admitted sharing sensitive information with friends, family, or even strangers, and almost half of the employees surveyed share work devices with people outside the company without supervision. These behaviors can result in intellectual property leaking out of the company and reaching audiences that pose serious threats to corporate security and profitability.

In many cases, it happens that many employees will start to share the use of company devices without the supervision of anybody. As an example, letting other employees work on other PC that an Accountant is using is one of the way that may lead to data leakage especially in the existence of shared files. Preventing anyone to do so will help in minimizing this issue.

Studies categorized misuse of corporate acts as follows:

• Bypass corporate policy and IT security settings
– China: 42 percent
– Brazil: 26 percent
– India: 20 percent

• Share sensitive corporate information outside the company
– Brazil: 47 percent
– India: 27 percent
– The United Kingdom: 26 percent
– Italy: 22 percent
– Germany: 24 percent

• Share work devices with non-employees without supervision
– China: 43 percent
– India: 28 percent
– Overall: 44 percent (32 percent of respondents shared work devices with co-workers, and 19 percent shared work devices with non-employee family and friends)

The following figure shows the frequency with which corporate computers are used for personal use.

3- Unauthorized Physical and Network Access:

Nobody can guaranty the blockage of all the organization’s endpoints or gateways especially in the big ones. Add to that, the access of employees to unauthorized parts of the organization’s network where an administration employee accessing the financial department network is an example. Add to that, we can consider the unsecured wireless networks as one of the way that hackers can enter the network and steal organizations’ data

Many workers let unknown individuals enter corporate facilities in a behavior known as "tailgating," or give non-employees the freedom to move around corporate facilities without supervision. These actions give unauthorized individuals the chance to physically steal corporate resources or access sensitive information. Employees are sometimes guilty of accessing unauthorized parts of a corporate network or facility as well.

The following figure shows the number of times IT have had to deal with an employee for accessing unauthorized networks or facilities:

• 39 percent of IT professionals said they have dealt with an employee accessing unauthorized parts of a company's network or facility, with almost half of IT professionals reporting this in Brazil (49 percent) and the United States (46 percent), and 63 percent in China. Although Japan (28 percent) and Germany (26 percent) featured the least incidents among IT professionals, every country showed at least one fourth of its IT professionals encountering these types of incidents.
• Unauthorized physical and network access was more prevalent among midsize and enterprise businesses (46 percent), but small businesses also have frequent incidents (32 percent).
• 22 percent of German employees allow non-employees to roam around offices unsupervised.

4- Remote Worker Security:

Another way of data leakage is the unsecured remote connection. It can be done by 2 ways: The first way is that employees can transfer files between work & personal computers when they are working from their homes. Another way is the hackers and network intruders that may intercept the files and steal them or have a look on them. In both the ways, the files stolen or leaked may be used for harmful purposes and may spread around many people that may benefit from it as well

As businesses are increasing & becoming bigger, mobile employees are broadening the potential risk for data loss. Behaviors such as transferring files from a work device to a home computer that is not protected or maintained to IT's standards, using personal communications that are not as safe as corporate communications, talking about sensitive company matters where others can hear the conversation, and failing to use a laptop privacy guard when working remotely in a public place all invite information theft. Employees also fail to safeguard equipment such as laptop computers and portable storage devices, which can be lost or stolen.

• 46 percent of employees admitted to transferring files between work and personal computers when working from home.
• More than 75 percent of employees do not use a privacy guard when working remotely in a public place. This number is much higher in Brazil, China, and India-countries that have the most reckless behavior.
• 68 percent of people do not think about speaking softly on the phone when they are in public places outside of the office.
• 13 percent of those who work from home admit that they cannot connect to their corporate networks, so they send business email to customers, partners, and co-workers via their personal email.

5- Misuse of Passwords and Login/Logout Procedures:

Many users in the organizations share their passwords with their colleagues or friends where this will lead to loss of information security as those colleagues can access their other colleagues’ accounts and systems. A dangerous data leakage may happen and it may include a lot of related effects.

Logging out of a computer and using a password are some of the oldest and simplest means of computer security. At least one in three employees said they leave their computers logged on and unlocked when away from their desk, such as when they go to lunch or go home for the evening. Another common practice is to leave a laptop on a desk overnight, sometimes without logging off. One in five employees store system login information and passwords on their computer or write them down and leave them on their desk, in unlocked cabinets, or pasted on their computers.

Any of these failures to observe security protocol provide dangerous opportunities for attackers. Taken together, they not only open the door to potential threats, but also invite the attacker inside. For example, an employee who leaves a system logged on, on a desk, and with a password attached is inviting an intruder to steal the computer now and sensitive data at their leisure. If the employee used that computer for personal use, that information is also now readily available to the attacker.

• 28 percent of employees in China store login and password information for personal financial accounts on their work devices.
• 18 percent of employees share passwords with co-workers, and that rate jumps to 25 percent in China, India, and Italy.
• 10 percent of employees in India, the United Kingdom, and Italy keep written notes of login information and passwords on their desk at work, leaving sensitive data accessible if the machine is stolen even if the computer is logged off.
• 5 percent of employees in the United Kingdom and France leave passwords to personal and financial accounts printed on their desks at work, so their information can be stolen with any other computer even if their work computer is safeguarded.

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-499060.html

User errors will lead to data leakage – a worldwide survey (Posted in Albawaba.com in October 21, 2009)

A worldwide survey which was conducted for over 400 companies containing more than 500 employees showed that most companies are sure that data leakage will be resulted mostly from accidental rather than malicious reasons.

The survey that was conducted by Dimension Data & IDC during 2009 focused on IT security, IT security decision makers & influencer in 18 countries from many sectors from the world including Western Europe, the Americas, the Middle East and Africa, and Asia and Pacific.

The study showed the following results:
- 57% of companies are planning to invest in DLP Measures (Data Leakage Prevention)
- 45% of companies believe that Data Leakage is more likely to occur through human errors which is their employees & staff rather than through outside risks as intentional thefts which is measured to be 15% of the total risk
- The probability of a vengeful employee aiming to destroying or stealing important & sensitive data from the company has increased. The increase of the risk is related to the increase in layoffs that is taking place in the current economic climate.
- The companies believe that the most significant impact of a security breach would come from the lack of control of its intellectual property (IP). In addition to that, the customer sensitivity to security & privacy may be another severe impact followed by the IT systems availability which is offering products & services at 24/7
- Most of the risk is coming from inside & not outside as the companies’ protection systems is designed to protect outward at the network perimeter & not inward whereas the inside of the network remains relatively free of security controls & unprotected
- The security awareness training initiatives for employees often go unfunded as companies consider that it is difficult to demonstrate a return on investment for such trainings.

To tackle all of these challenges, companies are moving towards Data Leakage Procedures (DLP) as it is an important approach to the protection of information, rather than the protection of networks & systems. By using this approach, the company creates automated, technical barriers to both human errors & malicious intents. Moreover, companies are losing critical data due to errors done by employees where they started working to tighten security controls internally and heading towards adopting the DLP & investing in it which allows them to define and enforce an effective security policy for information flow in order to keep control of critical information such as blue prints, financials metrics, and source code, prevent accidental breaches of compliance regimes and confidentiality policies, and support the user's ubiquity while using laptops or smaller devices in the work.

DLP can be implemented in many places & position. It is applied to data in motion (in between networks, users, and machines), data in use (when being accessed), and data at rest (when stored, archived), regardless of whether the data is inside an organization’s network or not. However, DLP is not an off-the-shelf product, silver bullet, or a quick fix. It is a mix of data-centric solutions which focuses on data rather than network or systems where it is considered to be a business issue & not technical one where it concentrates on managing the issue of protecting sensitive data (an important strategic step forward)

“After its people, data is an organization’s most crucial asset, and those active in security realize that if they protect data, they automatically protect their organization”

http://find.galegroup.com.ezproxy.uow.edu.au/gtx/infomark.do?&contentSet=IAC-Documents&type=retrieve&tabID=T001&prodId=AONE&docId=A210193661&source=gale&srcprod=AONE&userGroupName=uow&version=1.0