Data theft¹ is the illegal transfer or storage of any information that is confidential, personal, or financial in nature. It is considered a serious security and privacy breach and the consequences of data theft can be severe for both individuals and businesses. It has and will continue to cause many untold problems for organizations across the globe so what’s the solution? How can you and your company protect against it?
Bill Hardin, CFE and Director of Navigant Consulting, offers his advice on how CFE’s can help their clients and companies guard against data theft by focusing on 4 main areas:
1) Cost effective practices
Hardin suggests to look at data theft from two different layers, physical security and information security. With regards to information security, a quick way that companies can help themselves right now is to do what is called two-factor authentication certification. That is where an end user puts in their password, but then they receive a certificate or a numeric password that they need to enter in again, so having two factors as opposed to one is a quick solution to keeping intruders out.
Another quick solution would be what is called DLP (Data loss prevention) that scans your network for PHI (protected health information) or PII (personally identifiable information), a term given to personal data such as names, date of births, social security and credit card numbers. This will enable you to find out who in your company has access to this sensitive information and is another proactive as opposed to reactive approach. In terms of physical security, Hardin mentions tools such as key cards, deciding on who’s actually going to get into your building and how employees will gain access to your networks that are out there. Basically, everything needs to be looked at from a holistic approach when you’re addressing these issues.
2) Common control weaknesses
From an IT perspective it’s very important to understand what your employees have access to. Hardin advises not to using general administrator passwords, but instead assign everyone in the company their own username and password and then the privileges associated with that should then also be scrutinized. Being a former software developer, Hardin also recommends using dummy data as opposed to actual production data in order to test specific systems. This prevents you having to worry about where the data is moving or what’s happening with it.
Looking at the problem from a rouge program perspective is also essential if you going to allow your developers to download open source and others things that are out there. You have to monitor this very carefully because in a lot of open source software there’s links in blogs and other areas that could download malware or other nasty things that you don’t want in your environment. Again, you have to weigh those risks and controls and make a coordinated decision on how to move forward.
3) Access Controls
Hardin mentions a couple of different ways that this can be done. Firstly through sarbanes-oxley² testing you can look at roles and responsibilities for people within the company, and he recommends that should be done probably on a monthly basis, although a lot of companies out there do it either semiannually or annually. Remember that people change roles and responsibilities all the time so it’s always good to keep access to that. Secondly, monitor, monitor, monitor. Who has access to what, where’s the data being stored. You need to understand where your data is at, especially your sensitive data and who has access to it. You also need to review employee privileges regularly to decide if they really need certain specific types of access.
4) Security risk assessment
Security assessments are done in a lot of different ways and are another key area to protecting data theft. One that Hardin mentions is external penetration testing which is where you hire a third party to test your company’s website to see what type of vulnerabilities are out there on the outside. Then you have internal penetration testing which Hardin terms social engineering. This is where you actually hire another third-party to come in and see how far they get within your network before you are able to realize and stop the infiltration.
Carrying out software audits and checking if you have all the relevant licenses on all the proper machines is another protective action that Hardin advocates. If you pull someone’s machine in and it has a particular software that you don’t know about then that can become another problem in itself. Asset tracing is also highly beneficial, knowing how many assets are within your network that you know about. Do you have a the server sitting out there that you had no idea somebody plugged in?
Lastly, taking the time to actually scan your email files can also add some protection. Again, it’s a quick thing to do but what if somebody’s receiving information for example a client list that has social security numbers on it. Do you really want that running wild within your network in case that person accidently lost her laptop or if your email system got hacked? Preventive maintenance is by far by best way to protect your company against data theft. As Hardin notes, “know what you’re going to get before it gets into you.”
Data theft = Data theft is the illegal transfer or storage of any information that is confidential, personal, or financial in nature, including passwords, software code, or algorithms, proprietary process-oriented information, or technologies.
DLP = Software that are designed to detect potential data breaches.
PHI or PII = Any data that can be used to contact, locate or identify a specific individual, either by itself or combined with other sources that are easily accessed.
Sarbanes-Oxley (SOX) = A United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms.
Notes：This essay is excerpted from ACFE website.