How to stamp out data leakage, industrial espionage

At a recent monthly gathering of hackers (well intentioned and otherwise) in a dingy pub in Leicester Square, London, I asked them whether the economy was opening up new opportunities for them.

The response was an overwhelming yes, with nearly everyone saying that the cut backs had caused jobs to be outsourced and, with fewer folks in IT looking after security, there would be increased room for vulnerabilities and for mistakes to emerge. They also said that redundant employees were disgruntled and so more inclined to exploit loop-holes in their previous employers' networks.

The hacker community reinforced findings by Cyber-Ark in a recent survey of 600 office workers in London's Canary Wharf, New York's Wall Street and Amsterdam. The study explored whether the recession was affecting peoples' attitudes to work ethics and data security and it found data theft and industrial espionage were on the up, not by hackers, but members of the workforce fearful for their jobs.

Some 56% of workers surveyed said they were worried about losing their jobs because of the economic climate and, in anticipation, over half admitted to downloading competitive corporate data which they had identified as a useful negotiating tool in preparation to secure their next position. Top of the list of desirable information to steal is customer and contact databases, with plans and proposals, product information, and access/password codes all popular choices with a perceived value.

Memory sticks are the smallest, easiest, cheapest and least traceable method of downloading huge amounts of data which is why, according to the Cyber-Ark survey, they're the "weapon of choice" to sneak data out from under the boss' nose. Other methods were photocopying, emailing, CDs, online encrypted storage websites, smartphones, DVDs, cameras, Skype and iPods. Rather randomly, yet disconcerting, is that in the UK 7% said they'd resort to memorising important data.

On the other hand, the survey discovered that 70% of companies had implemented restrictions to prevent employees from taking information out of the office, but that still leaves 30% unprepared.

Top Tips to Secure Corporate Data

So what can companies do to stop data leakage and company secrets being exposed during these very uncertain times‾ My best advice is:

1.Only allow people access to the information that they need for their everyday activity. Install multiple layers of security within the organisation depending on the value of the information. The best way to do this is to have a digital vault, where you can encrypt the company's most critical assets and allow only those with privileged access into the vault.

2. Change passwords regularly on admin accounts or privileged accounts which are accessed by more than one user as you will often find that these passwords are informally shared among people that shouldn't be using them. Once you change the passwords, it will be an education to find out how many people phone IT asking why they can no longer access the data - many of whom had no right or reason to access it in the first place. Hackers usually target these admin accounts and privileged passwords first as they are often badly managed leaving gaping holes in the network.

3, Drum into your staff the importance of respecting company data and make sure you instil good IT security housekeeping rules.


4. Make sure you have an audit trail to sensitive and important data to track who has access to what information, and can check who is accessing it at any time.

5. Have a strict password usage policy that means that all users have to change passwords regularly mixing numbers, letters and symbols. Do not allow users to know, or worse share, each other's passwords. Manage and audit the highly sensitive administrative passwords to prevent hackers, and increasingly important insiders, exploiting the systems.

6. Ensure that you have a strict protocol for remote users and administer security products on mobile devices centrally. Deploy the best, most transparent, encryption solution that doesn't impede the device or impact the user, otherwise they will do their utmost to bypass it.

7. Have protection in place against data deletion and loss - earlier file versions should be retained, ensuring an easy way to revert to the correct file content or recover from data deletion quickly with minimal disruption.

8. Always use digital signatures so that unauthorised changes in files are detected.

9. Make sure you have end-to-end network protection. Security must be maintained while data is being transported over the network. The process of transferring data has to be, in itself, secure. It should be necessary for users to be authenticated, and access control used to ensure that users only take appropriate action, and that only authorised actions are carried out.

10. Maintain process integrity at all times. As data transfer is an essential part of a larger business process, it is critical to be able to validate that this step in the process is executed correctly. This requires the solution to provide auditing features, data integrity verification, and guaranteed delivery options.

Cyber-Ark's advice is only allow access to your most critical assets for those that really need it, encrypt.

Mark Fallbrook, UK Director, Cyber-Ark Software

*The survey into The Global Recession and its Effect on Work Ethics, was carried out by Cyber-Ark's team of researchers amongst 600 office workers on Wall Street, New York and Canary Wharf London