Traditionally, larger companies have relied on the security of mainframe systems to protect key data. However with this company confidential data now routinely accessible from and downloadable onto the network, this protection has significantly diminished. Regularly reviewing access control lists is another key component in data security, as is managing emails and instant messaging, because unencrypted emails are vulnerable to interception.
These methods are all components in safeguarding data. However, the computing scenario has now changed so much that, on their own, they are unable to cope with the current state of threat. One strong area of risk is allowing unauthorised (or departed) members of staff to have unmanaged access rights to data, for which they have no valid need. This is a major cause of data leakage. A common failure in larger companies is to terminate the departing user’s rights at the last place he/she was located, but neglecting to terminate access rights at previous divisions or locations.
Companies now need to review how the risks to their organisations have changed, with regard to data confidentiality, and assess what the current dangers are. A risk assessment can be carried out and positive action drawn up to protect against the relevant threats. A key part of any programme will be to regularly communicate to staff that data protection is the responsibility of everyone in an organisation, and not just the IT team. It should also be re-iterated that any unauthorised access to or misuse of data by staff, whether it is non-malicious but done without authorisation, or whether it is done with criminal intent, is not acceptable.
High risk areas
Email is a key area of risk for many organisations. The route for email over the Internet is via servers. Sending unencrypted emails is the equivalent of sending postcards by ordinary mail. They are easy to intercept and read, without the sender or intended recipient being any the wiser. There are actually companies whose business it is to use key word searching to find (to order) information for interested businesses.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.