Data Leakage Prevention Strategy for Portable Devices

Monday, June 24, 2013

Ajay Kumar


Can you imagine how much it would cost if you dump a few hundred records of sensitive data in a portable device such as a laptop, USB stick, hard drive, CDs or DVDs, and later you realize that it was lost, stolen or kept unattended somewhere and goes into the hands of strangers or bad guy? You will probably not realize it until you actually experience an incident and losses caused by it.

In a recent incident, a hard drive containing personal information of 14K students were found unattended for up to 48 hours in the computer lab of Champlain College in Burlington, which could have led to exposed of 14K social security numbers.

In an another instance,  The Information Commissioner’s Office fined Glasgow city council £150,000 for losing an unencrypted laptops containing personal details of more than 20,000 people with 6,000 plus bank account details.

So what is the issue here? It is the failure of technology, process or people? 

Technology, obviously it’s not a technology failure here. Because if a portable device is encrypted at the first palace before coping a single record of sensitive data, then even if it’s lost or stolen, the data it contains of no use for the person who’s hands the devices goes to, data can’t be recover without decryption key.

Process, this is a bridge between the technology and people when it comes to the information security as alone technology or people can’t play a big role in the data protection.  Every organization today have or run a data security program which clearly lay out the pre-requisite as to how to deal with personal and sensitive data and enforces the strong policies to control it

People, the human factor play a big role to the data protection initiatives. According to the “2013 Cost of a Data Breach” study conducted by Ponemon Institute, 37 percent of data breaches occur due to malicious or criminal attacks followed by 35 percent human factor and 29 percent system glitch or errors. Example, in the Glasgow city council incident, it was found that the laptops was pinched from the council’s offices when the premises were being renovated and locked in a storage drawer but the key was put in a drawer which was unlocked.  

Data protection best Practices

While every organization use, process and store some sort of sensitive data, it required a unique set of process & procedures and controls to prevent the data leakage.

  • Data protection strategy

Every organization needs to have a data protection strategy to effectively & efficiently address the threats to the information assets they own across the enterprise. In addition, as part of the data protection program, the data protection solutions should have the capabilities to control & enforce the policies to the portable devices, generate some kind of key metrics examples, percentage of endpoints running with encryption enabled and other tools to observe and test the effectiveness of data protection solutions and minimize risk of data loss.

  • Device procurement and disposal process

There has to be a strong IT assets & inventory management process adopted enterprise wide and should cover every aspect of device lifecycle management examples, which are the approved devices from the security standpoint allowed to be used in the enterprise with minimum security baseline configuration, device procurement procedure, installation, configuration and tagging of device to the user for the accountability aspect of it till safe disposal of the device.

  • Deploy data protection tools

Data protection tools like encryption provides a great protection to data leakage and reduces the risk of data failing into the wrong hands if the device is stolen or lost. Further, tools like data loss prevention (DLP) can be used to enforce the data protection policies & rule while the sensitive or classified data is being moved into the portable devices, and it can stop the user actions no matter user deliberately or accidently performing the actions.

  • Security incident & response process

Should a device have been stolen? Enterprise needs to have a centralized reporting & incident response process & procedures for reporting the incident of loss or theft of devices and appropriately assess the risk of data leakage in these scenarios to minimize its impact to organization.

  • Compliance reporting and monitoring

Compliance monitoring and reporting can play a big role in data leakage prevention. Any data protection solutions or procedures adopted in the enterprise are of no use unless the compliance monitoring and reporting procedures are strictly followed for example, if a device initially installed with data protection tools to enforce the policies & rules but later a user disabled it. So it is critical for the organizations to report and monitor the compliance status of the device on periodic basis, report non-compliance and take the appropriate remediation actions timely.

Possibly Related Articles:
Enterprise Security Policy
DLP mobile
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.