Preventing employees from data theft is undoubtedly a daunting task for almost all CIOs. But how widespread is this problem? In this article, author discusses seriousness of the problem, its impact and to what extent it is a problem. Author also discusses some preventive measurements, which if followed properly, brings down the risks significantly.
Data theft is a problem, which is being experienced by most of the organization or has been already experienced. A company’s confidential information includes its employee records, contracts with other firms, financial reports, marketing plans, new product specifications, and so on. If these information are hooked by a competitor anyhow, guess the drastic impact of such incident on the company’s reputation. So, indeed this problem is mounting up and companies are desperate to overcome this challenge.
Problem
Data security practices tend to focus on the risks posed by a computer hacker, while overlooking the risks posed by a colleague in the next cubicle. The vast majority of employees may be trustworthy, but a moment of haste, anger, or greed may transform an employee into a serious threat to the company's data. There are countless stories which we keep reading about data security breaches caused by employees, such as the following real-life examples:
-
An employee of a financial institution left a laptop computer containing customer data in an unlocked car, and the laptop was stolen;
-
A former employee gained access into the company's personnel database and deleted records of compensation, promotions and awards, and employee transfers;
-
A support center employee at an Internet access company secretly downloaded personal information of half a million subscribers and threatened to post it on the Internet unless the company paid millions of dollars in ransom.
These examples demonstrate the broad range of employee actions, from unintentional to unlawful, that can compromise the security of an employer's data. That being said, the risk of intentional theft or misuse of data by employees should not be underestimated. According to a new study, up to 70% of identity theft in the United States starts with data theft by an employee. As much as a company trusts its employees; it must protect its data against the type of "worst-case scenario" that can be caused by a disgruntled or careless employee. While focusing on the technological aspects of data protection, companies often neglect the most critical component of any data security program related to their employees.
The Cyber Crime Investigation Cell (CCIC) of the Mumbai Police is currently conducting investigations in a case of possible corporate data theft, in which a former employee of a leading IT company illegally logged into the firm’s data network and stole sensitive information by sending data files to his personal e-mail address.
The company, which provides market research, data collection, analytics and online marketing services to global clients, has approached the police with a complaint that the suspected data thief is about to join a rival company in Chennai, armed with sensitive information belonging to his former employers.
On June 24, 2008, the CCIC received a complaint from two officials from Ugam Solutions based at Malad Link Road in Goregaon (West), regarding the data theft. “We have received a complaint regarding data theft from Ugam Solutions by a former employee, and the Cyber Crime Cell is conducting preliminary inquiries in the matter,” Joint Commissioner of Police (Crime) Rakesh Maria said.
According to the company’s website, with over 800 professionals across Mumbai, London, San Francisco and Chicago, Ugam Solutions is an Indian-owned company with a global presence, and one of the world’s largest providers of market research outsourcing services.
Breaches are becoming more technology based, also. Electronic data breaches accounted for 80.7 percent of the total versus 19.3 percent, which were considered paper breaches.
Costs of Data Leakage
The costs can span many areas. These can be anything from public embarrassment to financial loss, reduced stock equity, loss of competitive advantage or even criminal investigation and prosecution. In the case of Apple, where their employees revealed product information before it was released, the company's share price plummeted after the leak was revealed. The company can be forced to fire the employees involved, resulting in embarrassment, lost productivity and legal costs.
Data Leakage is real and it starts on the inside. We often spend so much time building a wall around our enclaves that we do not consider risk internally. Unfortunately, real incidents are telling us we should look inward first and then outward. How secure do you feel about your data leakage prevention efforts?
Leakage involves distribution methods where data could be released accidentally or stolen intentionally. When the action damages an image or reputation, the financial costs of data leakage are very hard to quantify.
In more tangible matters, like IP loss, a damage assessment can probably be compiled. Consider the case of Acme Telepower, that had decided to shut its Indian Operations when an ex-employee stole and sold research data to a competitor. When the Law faild to act upon thier complaint, the company had decided to shift its base to Australia. Besides affecting the lives of 1,100 employees, the company is also claiming a national loss of Rs 750/- crores. Such data breaches by employees result not only in financial losses, but also bring out the lack legal remedial measures available.
Law Related Information
The Indian legal system is substantially based on the British common law system. While there is no omnibus Indian data security law, there are several laws that apply to data theft or misuse in India. Typically, when an incident involving data occurs, a complaint is filed for theft, cheating, criminal breach of trust, dishonest misappropriation of data and/or criminal conspiracy under the provisions of the Indian Penal Code, 1860 ("IPC"), and for hacking under the Information Technology Act, 2000 ("ITA"). Many of these offenses under the IPC and the ITA allow for an arrest without a warrant, are non-bailable and carry penalties that range from imprisonment for a year to life imprisonment, as well as fines.
Moreover, certain offenses carry higher penalties when the offender is an employee, a public servant, a merchant, an attorney or an agent. For example, misappropriation of data by criminal breach of trust carries a penalty of imprisonment for up to three years. However, when the criminal breach of trust is carried out by an employee (such as in a case where the data is dishonestly misappropriated and converted by an employee for his or her own use), the penalty increases to imprisonment for up to seven years. Further, when the offender is a public servant, merchant, attorney or agent, the penalty can be as high as life imprisonment.
In addition to these criminal affairs, civil proceedings for copyright infringement under the provisions of the Copyright Act, 1957 ("CA") and the Specific Relief Act, 1963 ("SRA") are also typically initiated to prevent the misuse and dissemination of data. The penalties under the CA and the SRA can range from hefty fines and damages to temporary and permanent injunctions.
Over and above the laws currently in place, the Indian government is currently in the process of amending the ITA to deal with data privacy and security issues. The proposed amendments are currently under review by the Ministry of Law, Justice and Company Affairs before being presented to the Indian Parliament. .They include provisions that would empower the Central Government to make rules concerning control processes and procedures to ensure adequate integrity, security and confidentiality of electronic records and rules prescribing modes of encryption for data security.
Core Issues
Organizations have realised that information or data is the real asset that they build over the years, and there have been some measures adopted to protect the same. These range from adopting, encryption technologies, password based protection of documents, token based security systems, email sniffing utilities to blocking hardware devices like USB drives, CD's or even blocking access to public email systems. Some companies have adopted solutions like Document management systems or Content Portals which prevent unauthorised people from accessing information. However, any of these or even a combination are not enough to completely address the issues of data theft from insiders. The core limiting factor is that all these systems provide "access" control only. Which means they can help organizatiosn to define "who" can access which documents. But once the "access" is given, there is no control on how the person uses the information. For example, if a confidential document encrypted before it is shared with employees, the employees will need to be able to de-crypt the document for access to the information. But once this is done, the Employee can easily take print outs, copy information from the file on to other documents and share at with anybody at will. Also, once the someone has been provided access to the document, there are hardly any measures to "call back" the access, which is required incase an employee who has access to confidential documents quits.
The other problem is that most of these security measures are perimeter based. Which means that once the document is out of a virtual boundary (like a document management system) or physical boundary (like office), there is no protection possible. Basically, these measures only protect the entry and exit points of the distribution of information, and not the information itself. The need of the hour is "information centric" protection. In other words, the protection shoudl be on the content itself and not on the evironment where the digital content resides. Thus, whether a document is available in the office, on a portal or document management syste, or outside the office, the protection on it should prevail, and should be controlled centrally.
Preventive Measures
Information Centric security mechanisms will address most of the core issues related to document security, especially when the documents are shared within and outside of the organization. Advanced solutions help organizations to maintain confidence on security of the information even while sharing it. They provide a "usage" control over an above access control, which helps to provide different usage rights to different people for the same document. These usage rights restrict or allow actions like viewing, editing, printing and distribution. It blocks screen captures and video grabbing tools from taking an image of the document. The usage rights are applied independent of how documents are shared (CD, Emails, Pen drives, FTP, Shared folders, Messengers etc). Besides action based control, date and location or IP based rights can also be imposed to control the time and place of access of th information. FileSecure aslo provides inbuilt audit trailing features which help enterprises to ensure compliance with requirements of standards like Sarbanes-Oxley, ISO 27000-1 and HIPAA etc
Rights on Doucments protected by FileSecure can, be changed dynamically, and made applicable without having to re-send the document. Thus, using such advanced solutions, it is possible to stop an employee from having access to any sensitive document that he may have stored a personal copy of, as soon as he has announced his quitting. Even while he had access, with usage control on printing, screen grabbing, saving copies etc, the information is safe from further distrbution.
Information Centric security solutions, stringent process for information sharing along with appropriate employee orientation to sensitize them on the importance of using such measures would be the starting point towards building a secure eco-system to conduct business in.
Conclusion
Data theft is undoubtedly a growing concern and it is more challenging while theft by internal employees. Organizations have to implement proper access and control policy besides periodical review of policies to prevent unauthorized access. Protection of sensitive data with advanced solutions can significantly bring down the risks of data theft and in turn an organization can avoid irreparable loss.
References:
—By: Vishal Gupta, CEO, Seclore Technology. |
