One only has to glance at multi-media sources focused on the IT security space to recognise the extent to which businesses are concerned about data leak prevention, writes Christo van Staden, director at Carrick Holdings. And this is a good thing.
Data and intellectual property remains the most coveted corporate commodity today. It is the prime focus, the underbelly of a business and the reason why IT security systems – including software and hardware – continue to be tested on a daily basis.
If one thinks about the situation carefully, data is the very key behind the need for IT security. Just as most threats today are targeted at extracting information for financial gain, most IT security solutions and services are designed with the intention to protect that what is considered sacred to an organisation or business.
So, the market should breathe a collective sigh of relief if there is any inclination to replace or reinforce any weak link in the IT security chain.
The advent of multi-media, digital lifestyle and mobile/ wireless gadgets – that have enhanced capacity to host the most up to date, available applications – is the epicentre of information transfer, date exchange and digital interactivity.
While the Internet and e-mail channels represent traditional channels of risk for security practitioners, the increase in use of personal storage devices (such as USB flash drives/memory sticks) and mobile product like notebooks, Personal Digital Accessories, digital cameras and MP3 players, continues to impact significantly on IT security strategies and approaches.
Data Leak Prevention has evolved from its early stage of development, primarily geared towards blocking direct attacks, to become a system-wide method of comprehensive protection.
Up until fairly recently the corporate focus, in terms of security approach, has been on guarding against the external threat. There was little or no preventative measures put in place to prevent data/ material loss – either through negligence, ignorance and/or malicious intent.
Given that most IT security service providers and vendors of technology agree that a substantial percentage of threats originate from within an organisation or company, it makes sense that decision makers would begin to implement stringent mechanisms to prevent cracks in the system.
The people that are employed and recruited into an organisation is as important, if not more so, than infrastructure and technology deployed. Many companies fall victim to the actions of people – and it is in the area of recruitment where companies must be more vigilant.
This involves a comprehensive, thorough analysis of an organisation’s policy framework detailing data archiving, usage and storage. It is important to always take into consideration what information is accessible, who should have access, when and where.
For example, it does not make sense for the debtors department to have access to the Customer Relationship Management database. Nor would sales generally cross-reference with logistics when it comes to information.
It is considered best practice for HR managers to explain company policy regarding information use, storage and dissemination. Employees should know precisely what their responsibilities are and access to information should be traceable, not for any other reason than to deter information leaks and vulnerabilities.
The first point of departure is for senior management to confer and agree upon a solid policy regarding Data Leak Prevention. This policy should form part of the overall rule document governing policy & procedure across the organistion or company. This will help to regulate exactly which employees, in what areas, have access to information.
Data leakage can take place either when the information is in static mode (in storage on servers, files, etc.) or when in transfer mode. It is equally important to remember that data is an asset, much like a vehicle or products in a warehouse, and should be managed and treated as such.