Information leak investigation
For a company, data leakage is the cause of serious financial losses, therefore, it is required not only to establish the operation of the protection system, but also to think over all possible risks and ways of data leakage, as well as ways to quickly identify and eliminate the fact of disclosure or theft of information.
The main channels of data leakage and protection methods
There are four types of data leakage channels in any company.
An acoustic channel, which includes all cases of communication between employees who can share official information for work purposes. Consider situations where employees with higher rights of access to information inadvertently release important data to other employees or competitors.
Attackers carry out theft of data via an electromagnetic channel by reading electromagnetic waves and interference from technical means. Leakage is detected after a competitor has received and used the data against the company. For protection, standard techniques are used that are supported by most automated systems: shielding and the use of RF noise generators.
Large IT corporations are most often exposed to the risk of leakage through the visual-optical channel. Competitors are interested in prototypes of device models, content of private meetings, etc. Visual leakage is impossible if the subject of interest is in a room that is completely isolated from natural light.
The material-material channel is the theft of copies of documents, models, sketches in physical and electronic form, as well as theft of information carriers with confidential data.
Determining the fact of a data leak
The fact of information theft is determined in two ways.
- The employee witnessed the incident and can point to the attacker. In this case, it is likely that the thief will be caught even before he transfers the trade secret to a competitor or makes the classified data public.
- Theft becomes known after a competitor has used the secret against the company and the damage has been done. This is the most common case and is due to the use of an acoustic leakage channel or human error.
At the stage of leak detection, DLP systems work effectively. If an employee tried to send protected data from a working device outside the protected network, the system will automatically record the fact of a leak and point out the culprit.
The fact of the leak can be determined by watching the recordings from video cameras. The employee may have taken out of the premises copies of important documents and did not enter the information on the receipt of copies in the register. Another employee is often carried away from the workplace by information carriers: hard drives, flash drives, optical disks, office laptops.
Data loss prevention
First of all, information leakage is a consequence of violation of the trade secret regime and the cause of financial losses for the company. In the event that a leak is identified, the security team should start preventing the threat as soon as possible.
All preventive measures must comply with applicable laws. It is important to take organizational measures on time: to close access to information because of the danger of repeated theft and to start an investigation. On a technical level, DLP systems can prevent leaks by automatically detecting attempts at unauthorized data transmission.
Data leak investigation
At the first stage of the investigation, the security service determines the type of leak: accidental or intentional.
As a rule, the fact of an accidental leak is easy to identify by reviewing DLP system reports, interviewing employees or examining video surveillance records that record the actions of personnel in the workplace.
The survey is conducted by the chief security officer or director of the enterprise. The reason for the meeting should not be given. At this stage, it is effective to use psychological methods of influence and observe the employee. Unclear answers, discrepancies in facts - all these indicate a possible attacker.
If there has been an intentional theft of data and the disclosure has already taken place, it is recommended to follow the steps in stages:
- Determine the group of employees who had access rights to the stolen data.
- Interview each employee from the identified group.
- Compare all the testimonies received and identify the main suspects.
- Check the actions of the main suspects over the last period: when they came to work and left the workplace, what information they worked with, etc. - and identify the intruder.
- Begin the procedure to prosecute.
Depending on the scale of the damage, the head of the security service, together with the head, determines the punishment for the perpetrator of the leak. Types of liability include: material (fine, loss of premium); administrative and criminal.
In case of compliance of the offense with administrative or criminal responsibility, law enforcement agencies are involved in the investigation. An official investigation also begins in a situation where the employee refuses to pay material compensation.
As a measure of punishment for accidental leakage of information, only a reprimand is most often applied to an employee. According to the research by SearchInform, 34% of Russian companies practice such a measure. The most common punishment for a data breach is the dismissal of the perpetrator, as 47% of companies do.