Protection against data leaks
How to protect a company from leakage of financial and other classified information
At our disposal proved to results of a study on the diversion of financial and other confidential company information. Without exaggeration, in almost half of the cases, "company secrets" become someone else's property by accident. We conducted our own investigation and found out the weaknesses in the protection of information from leaks through technical channels, as well as ways to prevent incidents.
One of the most vulnerable in terms of leaks is information directly related to accounting: financial documents, reporting, business plans, contracts, prices, salaries, personal data of employees.
How information leaks
There are plenty of sources through which information leaves the company: various messengers (Skype, ICQ, etc.), e-mail, open sources (social networks, forums), paper, flash drives, disks, backups. Moreover, both in the case of accidental leaks, and in the case of deliberate discharge, the sources are the same.
By the way, there is almost a whole industry for obtaining classified information - illegal and competitive intelligence. The first involves espionage: those who need information recruit company employees or introduce their own person into the staff. Competitive intelligence operates openly - through social networks, interviews, open sources of information.
Signs that may suggest that there is a trade in "company secrets" nearby
First, customers leave the company - most likely someone has leaked the customer base to competitors.
Secondly, an obvious change in the behavior of some employees: a sudden improvement in their financial situation, a decrease in interest in work, an intensified correspondence on the Internet, the frequent sending of graphic or password-protected archived files.
Thirdly, "clustering". Thus, in one company, 30 out of 40 employees who were involved in the conclusion of contracts, by agreement, registered their own organization and actually worked for it. Employees offered the same services to clients with whom they directly communicated, but at a slightly cheaper rate and renewed contracts with them on behalf of their own organization.
Effective ways to prevent leakage
- Labor contract. It can be directly stated in it that the employer has full access to information on employees' computers, and in the event of disclosure of trade secrets, will demand compensation for losses. These measures are a powerful psychological deterrent.
- High salary. The fear of losing it will most likely discourage the employee from betraying his company.
- Surveillance and wiretapping. There are programs that control everything that happens on the computer. If employees know that they have it installed, they are unlikely to have a desire to transfer classified information from a work computer. They also install their "bugs" in offices or meeting rooms, and the "bugs" of spies are blocked by noise generators, which create interference and jam the signal.
- Training. They arrange a provocation: the employees are sent letters with viruses, they are asked to give out confidential information by phone, etc. As a result of the test, it is determined how the personnel reacts to such actions, and protection measures are developed.
- DLP system (Data Leak Prevention). It monitors the transfer and printing of files, sudden bursts of Internet communication, visits to sites that are not typical for work, etc. It also conducts linguistic analysis of correspondence and documents and identifies the risk of leakage using keywords. It is important to entrust the work with a DLP system to a competent specialist. If the company does not have an information security department, an outsourced employee can set up the system and stop incidents.
Information leakage channels
With the help of paper, confidential information becomes available to others most often. Moreover, regardless of whether someone merges it deliberately or the leak occurs by accident. Selling "secrets" on paper is safer than selling them electronically, as it is difficult to prove from whom they were received (unless, of course, there is no record).
Computers (meaning stationary ones) are the second most common channel through which insiders pour confidential information to the side. But, in fact, the computer is no longer even a channel for transmitting secret data, but a channel for receiving them. Through it, an insider has access to corporate information stored on the company's server, can download it to removable media or send it by e-mail.
Accidental leaks can occur when financial information is contained in company programs that operate over the Internet, and the entrance to them has primitive passwords. These are considered to be digital or alphabetic passwords along the keyboard: 123456, 123123, 12345678, qwerty, as well as abc123, dragon, 111111, iloveyou, sunshine, passw0rd, superman, football, etc.
Employees believe that it is safer to send sensitive data from personal rather than corporate mail. This is a misconception: it is easy to determine whose address is from accounts. Also, "electronic" helps to penetrate the secrets of the company with the help of letters infected with viruses. Spies study the interests of an employee (in social networks, etc.), then send him such a letter that he will most likely open, for example, to a collector of teddy bears a message with the subject "Cool bear."
Smartphones and laptops are also not the most common channel for leaking classified information, but they are often used by senior managers. Situation: A confidential meeting is in progress. Those present have smartphones or, more often, laptops with meeting materials. The present insider activates the built-in microphone and sits innocently to himself. And then everything that was said at the closed meeting merges into the outside world.
REMOVABLE MEDIA AND BACKUP
Flash drives, portable hard drives, due to their convenience, are also used to transfer information. At the same time, an insider can easily refer to their usual loss. Sometimes information leaves by mistake. For example, an employee took reports with financial indicators on a flash drive to finalize home, and at home an unsecured Internet connection. As for backups, you can store data in them on the Internet (for example, iCloud).