Other issues in this category (6)
Information to go
Tuesday, December 13, 2016
The Anti-virus Times issue Cheap passwords for sale spawned a discussion in the comments section about whether it’s possible to protect corporate data. Indeed, while most people consider anti-virus protection to be a requirement for organisations and understand why it’s important to protect personal information (belonging to employees, customers, and partners), few ever think about protecting company data. Why is that?
Any activity leads to an accumulation of information—information that may only be relevant internally or may have a certain value on the black market. Data on industrial technologies, ongoing research, source code, the financial and economic status of an enterprise, concluded contracts and contractors, capital structure and investment plans, other plans and upcoming promotions, how accurately the company assesses the competitive potential of its products, its customers—the list can go on and on. Obviously, this information shouldn't always be available to prying eyes or certain groups of staff.
The American Journal of Chemical Engineering published a list of 16 sources of information.
- Information found in mass media, including official documents like court reports;
- Information from employees of competing firms;
- Stock exchange documents and consulting reports; Financial reports and documents made available to brokers; Materials showcasing company exhibitions; competitors' brochures; Reports drawn up by sales reps;
- Assessments of competitive products; Information obtained during talks with competitors' employees (without breaking any laws);
- Hidden polls and information acquired from competitors' employees at technical and scientific conferences;
- Covert surveillance;
- Talks about employment prospects with employees of competing companies (even though the interviewers do not intend to hire the people);
- Fake negotiations with a competitor about possibly purchasing a license;
- Hiring a competitor's employee in order to acquire needed information;
- Bribing a competitor's employee or an employee of one of its suppliers;
- Using an agent to retrieve payroll information from a competing company;
- Bugging negotiations being conducted by competing firms;
- Intercepting wire communications;
- Eavesdropping on phone calls;
- Stealing product samples, blueprints, and other documentation;
- Blackmail and extortion.
Why is confidential information so hard to protect? With an anti-virus, things seem fairly simple—just install it on all machines and let it do its job, and just remember to renew the license once a year (in fact, it's a bit more complicated than that, but we'll discuss this some other time). But, protecting trade secrets is a whole different story.
First, one must determine what information is a trade secret and what information doesn't need to be protected. It must also be decided who should be able to access certain data. There are also storage and access procedures to consider.
Essentially we’re talking about proper auditing and a description of a company’s business processes. But business processes are not static, and people like to break rules. This means one must ensure that people follow established routines and rules, and adjust those procedures when necessary.
Problems with encryption ransomware show how difficult this task can be: no matter how much effort is devoted to educating staff, every now and then someone will surely open an email containing a Trojan or click on a link.
In other words, technical restrictions aren't enough. Organisational restrictions should also be put in place, and a reasonable balance must be found between the desired level of secrecy and productivity.
One simple question. If a system administrator has access to all of a company’s machines, should that person be able to access the PC on which an order for his dismissal is being prepared?#security #Office_Control
The Anti-virus Times recommends
A journey of a thousand miles begins with a single step. Do not immediately look for a comprehensive solution. You may invest a lot of money, but, realistically speaking, no one will follow the new rules. First, try something simple. Establish protection from spyware and key loggers! Yes, criminals are interested in corporate secrets, too, and to steal them, they actively employ malware. So, protecting a company from cyber threats is part of keeping trade secrets secure.
- Determine who can access external services. Establish rules for accessing services if an employee who has access to those services is absent. Also, enforce a procedure to revoke temporary access permissions.
- Decide where important information can be stored and whether computers that access the Internet can be utilised for this purpose.
- Determine how to protect employee personal devices that are used for company business.
- Define access permissions for employees who use company computers.
Document all the above and make the resulting regulations binding for all company employees. And, remember: data protection is an art. The art of war for survival.