In-Depth
Six Myths that Delay Endpoint Data Protection
Why saying "it can't happen to us" isn't a solution
By Matt Fisher
Personal and confidential health records found on a USB stick by a university student. NATO secrets on a USB stick found in the Stockholm library. Sensitive personal information lost on a flash drive by the Iowa Department of Natural Resources. Fertility treatment information on 3,100 patients lost.
It seems every day a new story emerges outlining the loss of critical, sensitive, or confidential data from organizations across the world, all of which could have been prevented if a few simple security precautions and policies had been monitored and enforced. It seems inconceivable that many organizations still have not addressed the issue of endpoint data protection, considering the extreme risk of financial loss and damage to the corporate brand. Yet, on a daily basis, stories confirm that this indeed is the case.
We debunk the six myths of data loss from removable storage devices and we offer sensible advice to overcome any corporate objections to implementing prudent endpoint security measures.
Myth #1: It won't happen to us
Recent research suggests that this actually may be true for the majority of security professionals. It remains a de facto "strategy" for rationalizing the decision to not take corrective action to secure endpoints. Despite a recent survey by Symantec that showed 59 percent of organizations expect at least one major data loss incident every five years, it's clear that not enough is being done to prevent them.
The U.S.-based Privacy Rights Clearinghouse, an independent body that tracks data loss, estimates that more than 218 million U.S. citizens have been placed at risk of identity theft since January 2005 due to a lack of data security. In fact, during six days in February 2008, the organization chronicled the loss of more than 360,000 confidential records associated with six separate data leakage incidents!
Overseas customers are not fairing much better -- in the UK, recent announcements from Her Majesty's Revenue and Customs (HMRC), the Driver and Licensing Agency (DVLA) and the National Health Service (NHS) alone are believed to have affected up to 26 million UK residents in just one month. When we narrow the spotlight of data loss just to focus on removable media devices -- such as iPods, USB sticks, and CDs -- news stories (from just a six week period) at the end of 2007 included a stolen University of Cincinnati flash drive affecting more than 7,000 students, loss of two disks containing details of over 6,000 records of the Driver and Vehicle Licensing Agency in Northern Ireland, and a lost flash drive of a University of Nevada, Reno professor containing 16,000 Social Security numbers.
This is just a small selection of stories that underscores the importance of endpoint security and the risks organizations face by allowing computer users (whether legitimate or not) uncontrolled and unmonitored access to the network via removable media devices.
Recommendation: Instead of thinking "it won't happen to me," IT security professionals should build a business case to implement the technology and policies necessary to protect against data loss via removable storage devices.
Myth #2: Data breaches aren't all that serious
The 16,000 students at the University of Nevada whose Social Security numbers were leaked might disagree. In fact, recent research suggests it takes a victim of identity theft an average of two years (roughly 175 hours of writing e-mail messages and letters, making phone calls, etc.) to clear their credit report.
The pain isn't limited to the individuals whose personal data is lost. According to the Ponemon Institute, a privacy and information management research firm, data breaches cost companies an average of $197 per compromised record in 2007 -- an increase of $15 per record from 2006. Lost business opportunities, including losses associated with customer churn and acquisition, represented the most significant component of the cost increase, rising from $98 in 2006 to $128 in 2007 -- a 30 percent increase. These figures account for the costs associated with the negative publicity and productivity loss experienced as companies devote resources to mitigate the damage of the data loss.
No matter what details are contained within the exposed data, there is always a risk, whether to the organization itself or the customers and partners. In extreme cases, USB device losses have even led to potential terrorist threats, such as a report of purloined flash drives containing classified U.S. military secrets for sale in an Afghan bazaar.
Recommendation: Use the public record, for example the above statistics and stories, to build the case that data loss poses significant risks to the organization (financially, morally, etc.). Security policies need to be implemented immediately to reduce the likelihood of it negatively impacting your business.
Myth #3: Data loss is caused by hackers
You may have the world's most trustworthy employees, but this won't change the fact that employees are ultimately responsible for 50 to 70 percent of a typical organization's data leaks, according to Forrester Research. Further compounding the risk of an internal leak is the extensive use of contractors and consultants -- in one recent analysis, 72 percent of companies surveyed reported that their organization employs temporary workers or contractors who require access to sensitive information and systems.
It is vital to recognize that when it comes to data security, trust is not an option. The fact that the vast majority of employees are honest and would not deliberately put their organization's or customers' data at risk doesn't change the reality that ignorance, malfeasance, misconduct and even intentional action inside the firewall are the cause of most data loss. Without the right measures in place, your organization will be open to many security risks:
- Unauthorized removal of content from the network
- Transfer of malicious and unwanted content to networked PCs
- Exposure of sensitive data carried outside the organization
Recommendation: Create, enforce, and monitor acceptable-use policies regarding removable storage devices in the workplace. Actively train employees and contractors on these guidelines.
Myth #4: Other security issues are a higher priority
Similar to the myth #1, this objection is often used by overwhelmed security professionals trying to rationalize the decision to not implement the necessary technologies and processes that prevent data leakage. Unfortunately, it's often uttered after a breach has occurred, which makes it difficult to justify a security strategy that explicitly exposes an organization to the enormous risks associated with data loss.
Although many security managers may point to the need to revise other existing security mechanisms (such as content filtering, anti-virus, and intrusion prevention), the fact is that most organizations already have solutions in place for these types of risks. In contrast, research conducted by Centennial Software in 2007 found that only 16.4 percent of surveyed companies actually have technology in place to prevent data loss on network endpoints, and nearly 85 percent of respondents had no way of stopping data leaving the network through local connections of PCs.
The high percentage of incidents caused by lost devices and negligent employees, combined with a lack of any current technology to protect against unauthorized device connections, means that addressing data leakage on network endpoints must be a top priority for all organizations in 2008.
Recommendation: Include protecting your endpoints from data loss as an integral part of your 2008 security strategy.
Myth #5: Security hurts productivity
While security solutions in general might not have the best track record in terms of enabling computer users (not to mention IT resources) to be as productive as possible, there is no reason that a well-chosen solution will harm productivity. Indeed, in many cases, it can free up IT staff to be more productive on other tasks.
As in all areas of business, creating an effective strategy to prevent data breaches is about striking the right balance for the organization's individual needs. The aim has to be to address the largest areas of risk with the most effective use of resources and the minimum impact on day-to-day operations.
When it comes to managing removable media devices, the important fact to remember is one size does not fit all. Different employees have different legitimate needs. Some employees who wouldn't traditionally need to use a particular type of device might need a temporary exception at some point in time. Thus, when implementing safeguards against data leakage, it is useful to follow a simple five-step approach:
1. Understand the risk
How many devices come into your workplace? How often do your users connect? Are some departments more prolific users than others?
2. Review the business requirements
Using a PDA to keep track of appointments and contacts is an efficient way to conduct business. Connecting an iPod to the network and downloading music is not. Determine legitimate business needs by department or individuals, and address all operational risks outside of these.
3. Create a removable device policy
Acceptable use policies (AUPs) can provide directions on employee use of portable media devices, but are unlikely to provide detailed enforceable guidelines. Employee awareness of a policy's existence through effective internal communication is a crucial component of any security measures. Consider the components of the policy as well -- if removable storage devices are permitted, which ones? Will you require encryption for any files transferred? Will you monitor and enforce policies surrounding the content of the files that are transferred?
4. Enforce the policy
If there is no enforcement of written policy, you can be assured breaches will occur and good intentions are not enough -- you need technology to help enforce your policies.
5. Educate, review and repeat
Don't leave staff in the dark. Communicate whether security software has been deployed to further reinforce the established AUP. Proactive monitoring of device connections will identify recurring trends in device usage, while ensuring usage policies are aligned with the current perceived level of threat. When employees are blocked from certain tasks, take the opportunity to educate them on the policy and the reasons for its existence.
Recommendation: Identify the risks associated with data loss. Create, implement, enforce and monitor the appropriate security policies.
Myth # 6: Our "No Portable Devices" policy already protects us
Many organizations choose to publish a "no personal devices in the workplace" policy in the hopes of deterring a security breach. However, enforcing such a policy is fraught with frustrations and is almost certain to be ineffective.
Personal "lifestyle" IT devices such as MP3 players, PDAs, USB sticks, and smartphones are now so common in the workplace that they rarely warrant a second glance. What's more, with their small size and inconspicuous nature (some USB sticks are even shaped like bracelets, pens, or watches), it's virtually impossible to stop these from coming into the office, even with a security detail checking each person entering and leaving the building.
Relying solely on a "no personal devices" policy is no better than leaving your IT security entirely to chance, as it will not only fail to stop the devices from entering the workplace. It also provides the organization with no visibility of how these devices are being used on the network and may impact the productivity of your employees who have legitimate business needs to connect devices to their PCs.
With an active approach to enforcing the security policy, employees' compliance isn't a question. Instead, the organization can achieve total visibility of all attempted device connections and data transfers in a completely transparent manner that does not affect the day-to-day operations of staff.
Recommendation: Augment AUP policies with technology to ensure you are able to effectively monitor and enforce your desired employee behavior with regards to removable storage devices.
The Bottom Line
Recent headlines proclaiming 2007 as the worst year for data breaches inevitably will be repeated in the future unless organizations make protecting the network endpoint a critical component of their security strategy. The costs of data leakage to the organization and its employees, partners and customers are too great to ignore any longer. The good news, however, is that most analysts agree that the vast majority of past incidents could have been prevented if the organizations had followed the simple advice of defining, monitoring and enforcing policies on the transfer of data to removable storage devices.
- - -
Matt Fisher heads the corporate and EMEA (Europe, the Middle East, and Africa) regional marketing teams at Centennial Software. You can reach the author at mattfisher@frontrange.com.
News sources included breachblog.com and watchyourend.com, Forrester Research, Ponemon Institute, "Business Impact of Data Breach", May 2007