Do You Know Data Leakages Are?
Do you know all the possible ways to take information out of company so that no one would know? I’m sure that there are means and methods for data leakage despite security controls.
Let’s think about how can we control this process better.
First, it’s necessary to understand that there no absolute controls around security. Even if a USB port is blocked, it’s still possible to write some data to USB, if there is system that controls outgoing mails, then it’s still possible to use some trick that intruder might use to send out important data out of the company.
So how to manage information security policies to prevent possible data leakages? Let’s list all possible ways to prevent leakage. There are two general categories – active and proactive security. These terms are sometime hard to understand in real word, so let’s discuss another approach. There are means that will help to prevent the fact of information leakage, and there are means that will help to find out, if information was leaked. Both methods should be considered when building information security at your company.
How to prevent information leakage. First, it’s necessary to apply a security policy which will guaranty the access to the certain data only for trusted persons, in this way you will always know who has access to the data, so it is easier to find possible intruder and to control your employees.
Second, consider all possible ways for information to be stolen, such as sent out by email, copies by some employee, stolen by some spyware software, copies to the external drive, etc. Think about all possible ways and think about risks applied. Try to minimize the risk for the most important data.
Let’s list some possible security issues and the ways how we can get rid of them.
Keyloggers and other spyware software. Keylogger is a program that works in background, records all keystrokes and send out information to third-party. The good idea is to start with firewall, which will allow access to the internet only for a certain programs.
Hardware that might be dangerous. There are software that allows to lock USB ports, there are software that allows to block access to any other writeable media, consider installing these tools on computers and user accounts which doesn’t need to use this functions during their work.
Finally, the key principle about fighting information leakage is to be proactive. You don’t need to wait until some information will be stolen, being a little paranoid will help to save your business. It’s easy to install and integrate into the security policy some audit measures, that will regularly check your company for possible security holes, it’s simple, but it will work.
No matter what size of data you have, it is always on the target of cyber crooks to be attacked. There is always the risk of Data Breach. Some months back in the current year, Yahoo Japan informed the users that they been hit by a hack attack in which they have compromised the information of about 22 million people. Earlier that incident LivingSocial an online daily dealing website revealed that unfortunately hackers have stolen the personal information of almost half a billion of the customers. These two attacks show how big the concern of online crime has become. There is no country, city, area or even an individual in the world that can claim that he or she has no threat to his or data for getting breached.
How Can Smartphone Cameras Be Your Enemy?
What if you get to know your smartphone is clicking pictures without giving you any signal? What if you come to know that your smartphone is sending those pictures to a stranger without notifying you? What if you realize that your smartphone camera is capturing moments when you thought it is off? It must be sounding quite horrifying for you, isn’t it? Well, these horrifying actions do take place due to some of the malware today that is specially designed for such activities. One of such infectious programs was only engineered for mapping of the building with the courtesy of photos and videos that are captured with the help of that malicious program.
You can be filmed or imaged by the camera of your smartphone that it would be truly an embarrassment if they are publicized. These malware imposes some serious risks to your privacy, but, you can avoid such injurious programs leak your personal and confidential person and videos. People that give somewhat importance to the security of their privacy and scan their smartphones on regular intervals will keep them safe. The portable computing gadgets such Windows Phone are on the target of cyber criminals and crooks so that they need to be secured more carefully.
Portable computing devices such as a smartphone, there is a huge risk of getting hundreds of devices infect by just one device. A charging port of plugging the device into an infected computer will cause that gadget harm. The infected smartphone is likely to spill data than an ordinary computer due to its weak data security. In order to remain secure from such a program, you should avoid using each other’s data and stop plugging into PCs and laptops that are unknown. A smartphone is a great target to steal data from the online crooks and they often do that.
You may have avoided downloading from any third party app store or not using apps that are doubtful. But, what if the developer of an app gets hit by hackers and release an update with a harmful feature. The program will get automatically updated and you will control the camera of your smartphone. You might be considering the issue of leaking images as a lighter one, but, it is indeed a big issue. Smartphones are not allowed to be carried in sensitive places as recording devices can never be trusted and they can betray their owner any time with, thanks to the hackers.
One of the most sensitive, confidential and precious data stored on your smartphones must be images. Using Windows Phones that have the best camera results available now. The leakage of your personal memories will definitely hurt you, for the purpose use Secure Photo Gallery, so that your pictures and videos remain safe and secured. Other than that, if you are afraid that your camera can be hacked and handled remotely by a hacker, keep your phone in a pouch, a bag, in a cover or at a similar place so that it cannot record anything.s Sticking a small piece of opaque paper on the lens of a camera is not a bad option either.
Read Why Data Loss Prevention (DLP) Demand Is Growing
With the importance in data security escalating, there has been an increased demand for the earliest approaches to securing data, namely data loss prevention, say experts.
Data loss prevention (DLP) is a term used to describe software products and strategies that help a network administrator control what data end users can transfer.
According to Trevor Coetzee, regional director, SA and Sub-Saharan Africa at Intel Security, there has been a revival of the DLP market locally and growth globally – in both data loss and data leakage prevention requirements – due to new privacy laws being implemented by countries across the world.
Many SA organisations are investigating solutions in preparation for the privacy laws like POPI within the country, says Coetzee.
Moreover, the demand is also being driven by the growing adoption of cloud services, data going across public cloud services, and increased focus on the insider threat that many organisations face on a daily basis, says Coetzee.
“We are also encountering, unlike what we have seen in the past with emerging technologies and capabilities, that SA companies are adopting cloud strategies and technologies at a surprisingly fast rate.
“As a result, they are now looking for numerous security solutions which align to their strategy – including DLP solutions.”
Research firm Markets and Markets agrees, saying one of the major factors that have helped the DLP market to grow is the increasing focus of organisations towards meeting regulatory and compliance requirements and data saved on public and private cloud.
Apart from this, factors such as increasing data breaches and cyber attacks are boosting the demand for DLP solutions, it adds.
Darryn O’Brien, country manager at Trend Micro Southern Africa, says organisations are realising that their data is no longer just information, but an asset which should be protected from the outside world.
It is this awareness that is driving the need for technologies and processes like DLP to address the situation, he adds.
Perry Hutton, Africa regional vice president at Fortinet, says the flow of data transactions into and out of the data centre, between data centres, or that is used and stored on a wide variety of devices is increasing at a dramatic pace.
During this process, the nature of the data changes, and comprehensive data loss prevention strategy is needed to address these different states, adds Hutton.
DLP strategies need to include not only business sensitive information but personal client and employee information too, as the loss of this data can be just as damaging to a business, says O’Brien. “In short it needs to be holistic and embrace all aspects of the business.”
By Regina Pazvakavambwa
Why Use ITSecurity.Org For Your Data Protection Requirements and Services?
At ITSecurity.Org Our Professional and Qualified Staff have decades of combined experience, expertise, qualifications and certifications gained through working in some of the largest enterprises. Our consultants have experienced many different requirements for Data Protection and are able to deal with your Data Protection situation and needs in a unique way just to suit you.
We have experience on a practical basis of securing data, protecting that data and ensuring that only the people authorised to access that data can use it. We have experience of how to securely manage and monitor data throughout its lifecycle and can provide that expertise to you.
Data Protection Lifecycle
ITSecurity.Org can provide advice and support for all of your Data Protection requirements throughout your data’s lifecycle.
We can provide Data Protection Policies, Standards, Procedures and Training to support all stages of your Data’s lifecycle.
Data Protection Documentation Examples
- Self-Assessment Toolkit
- Data Protection Policy – Management Commitment
- Data Protection Policy – Schedule of Additional Detail and Support Materials
Template policies, procedures and checklists
- 01 Confidentiality and Data Protection Commitment
- 02 End of employment and volunteering procedure
- 03 Third Party suppliers – procurement and model clauses:
- 03a Procurement guidance and checklist
- 03b Supplemental Data Protection Agreement
- 03c Model Data Protection Clauses
- 04 Acceptable Use Policy (AUP)
- 05 Password policy
- 06 Clear desk, clear screen and secure waste policy
- 07 Offsite Working and Removable Media Policy
- 08 Sharing personal information policy
- 09 Social Media Policy
- 10 Access control Policy
- 11 Accurate Data Guide
- 12 Backup Procedures
- 13 Retention Schedule
- 14 Disposal and Deletion Policy
- 15a Information security incidents – Draft letter
- 15b Information security incidents – Checklist
- 16 Subject Access Requests
- 17a Photograph and video footage – Covering letter
- 17b Photograph and video footage – Consent form
Data Protection Guidance Notes
- 01 Roles and responsibilities
- 02 Your staff
- 03 Day-to-day handling of personal information
- 04 Your buildings and offsite working
- 05 Your handling of information security incidents
- 06 Your handling of requests for access to personal information
- 07 Bring Your Own Device Guide
Data Protection Training
Data Protection Training
One of the most important aspects around Data Protection the triad; People, Technology and Processes is People. Your staff need to be trained in Data Protection and why it is so important to your organization.
We can produce Data Protection training for you that is specific to your organisation. This training can take the form of different types of resource; documentation, videos, photos, images, powerpoint slides, quizzes etc.
We can turn all your resource into a really engaging educational training product.
If you require, we can also integrate into your Learning Management System (LMS) using our Moodle publishing platform or your training can be hosted on our training platform.
- Tivium Ltd (a green deal energy company with a registered office in North London) has been prosecuted for failing to respond to an Information Notice issued by the ICO. The fine was
£5,000 with a £120 victim surcharge & prosecution costs of £489.85. The company appears to still be trading (apparently based in the North of England) but its website indicates that it is closed to new customers.
- The ICO has taken enforcement action against high street and online shoe retailer Office [Office Holdings Ltd, based in the City of London] after the personal data of over one million customers was left exposed due to a hacking incident. The reasons for the ICO action were:-
1. The ICO was informed on 29th May 2014 that a member of the public had hacked into an unencrypted historic Office database that was being stored on a legacy server outside the core infrastructure of the current website.
2. This individual had managed to gain potential access to personal data relating to over a million Office customers, including contact details and website passwords. However, the data controller has confirmed that it does not store customers’ bank details, so financial information was not compromised. Moreover, there is no evidence to suggest that the information accessed has been further disclosed or otherwise used.
3. Office explained that there were several technical measures in place to minimise the risk of such an attack, although the hacker managed to bypass these measures to gain access to the legacy servers undetected.
4. Office has also confirmed that whilst penetration tests were carried out on the new websites before migration, only a single such test was completed on the old system, the results of which were not concluded or recorded, due to the legacy system being in the process of being decommissioned.
5. Office has explained that removing the historic customer data from the database before migration to the new system was believed to add complexity and a material risk of data mismatches, operation downtime and customer disruption, so as to put the project at risk.
6. However, Office has since accepted that in hindsight, the risks of removing these details before migration were less than originally thought. As such, it would appear that the retention of this historic data, some of which may now be inaccurate, was over cautious and not strictly required.
7. Amongst other remedial measures taken by Office since the incident, the servers in question have now been decommissioned and a new hosting infrastructure is in place.
- An eye care company has been formally warned by the ICO to stop sending out nuisance text messages or face further action. The ICO has served an enforcement notice on Optical Express (Westfield) Ltd, after over 4,600 people registered concerns between September 2013 and April 2014. The concerns about the unsolicited messages were reported to the mobile networks’ Spam Reporting Service indicating they had not given permission for the company to use their details for marketing [this is a breach of Regulation 22 (2) of the Privacy & Electronic Communications Regulations 2003]. The Glasgow-based business which has branches across the UK had been sending out texts that included details of a competition to win free laser eye surgery.
- Pinsent Masons (a UK law firm) has published an article in Out-Law news and guidance entitled “Data Protection Officers – will EU businesses face an obligation to appoint one? The article gives a useful summary of the proposed Rules with regards to these Officers in the EU Data Protection Regulation, giving a good summary of the Commission’s view, the Parliament’s view and the (current) view from the
- Under the Council’s plans, no organisation would be under an obligation to appoint a Data Protection Officer (DPO) unless required to do so under other EU legislation or the national laws of individual EU member states. Instead, the Council said organisations “may” appoint a DPO and go on to list conditions that organisations electing to appoint a DPO would have to conform to. Many of the conditions are similar to those supported by the Commission and Parliament. They include that the DPO can act independently
- Pinsent Masons (a UK law firm) has published an article in Out-Law news & guidance entitled “US to create new data breach notification rules”. They reported that the US president Barack Obama had stated that US businesses will be required to notify consumers within 30 days that there has been a breach of the security of their personal data.
- Pinsent Masons reported that the proposal is part of a package of measures president Obama said are needed “…to protect the identities and privacy of the American people. We’re introducing new legislation to create a single, strong national standard so Americans know when their information has been stolen or misused”
- Continuing with his Washington speech, president Obama stated; – “Right now, almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies – and it’s costly, too, to have to comply with this patchwork of laws. Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late. So under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days. In addition, we’re proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans – even when they do it overseas”
- Clearly this new proposal will apply to Capita plc businesses (that process personal data) that are based in the USA. However, it will be interesting to see if these federal proposals help to ensure that Safe Harbour remains available to EU based businesses to transfer personal data to participating organisations in the USA. The future of Safe Harbour is currently under discussion between the European Commission and the US Department of Commerce.