Business processes are migrating into a virtual environment, and companies have long started to keep e-document flow while introducing new management technologies. As a result, they need to protect data in the virtual environment which is recognized at the legislative level. But if managers know how to ensure the confidentiality of printed documents, they hardly understand how to ensure the security of computer systems or confidentiality of electronic data, as well as how to protect it. Let's say more, round-table discussions reveal that companies still have misconceptions in this regard. Here are a few myths.
Myth №1 To protect information on a computer network, it is enough to give a task to the system administrator or the IT department head.
There is a simple life rationale behind this myth: when it comes to computers, the data protection necessarily falls under the responsibility of IT employees. That’s what happens in most companies: one department handles both administration and security tasks. This is a wrong situation, because those who provide the service should not deal with management tasks.
Myth №2 Confidentiality kills information technology. This myth results from the first one. When system administrators get acquainted with the rules for building an information security management system, they can face a question: "How to work when everything is under control, and nothing is allowed?"
Myth №3 To guarantee the confidentiality of information, it is enough to purchase protection systems and install them according to the consultants’ recommendations.
Organizational measures are usually ignored, and experts don’t apply protection systems in full, or stop using them with time. The reason is simple: the lack of skills in working with hardware and software complexes. It would have been otherwise if the system management had been under responsibility of a trained employee. In fact, the security of virtual data is in many respects similar to the methods for protecting information on paper. You can even draw an analogy between them. The only difference is that computer systems require using a special software package – a DLP system.
General Principles of Document Protection (Hard and Electronic Copies Both)
1. Strict separation of resources into confidential and non-confidential
First, you need to decide what to protect. Make up a list of information that constitutes confidential data. Once the list is composed, you can decide which documents, folders or files contain such information and, thus, should be protected. You should ask yourself whether confidential information would be stored only in network folders or on computers, USB drives, etc.
2. Preventing free access to confidential information
Regarding paper carriers, you need a safe where the responsible employee will store the documents. The following methods will help to protect the same information on the computer network:
- Cryptographic protection. Encryption of document files during the transfer of confidential information.
- Operating systems. Differentiation of access to information through the restrictions imposed on user accounts.
- DLP systems. Full or partial restriction, as well as the control of access to storage devices, network folders, processes, etc.
DLP systems allow more flexible adjusting compared to operating systems. You have extended functions, for example, you can impose limits both on the use of a whole channel and certain type of data (only office documents, only drawings, etc.). In addition, you can control access.
Let’s imagine a situation: the IT service has a task to restrict access to a specific network folder. The employees report the successful implementation: the folder is accessible only by trusted users. But is it really so? Can we double-check it?
With SearchInform DLP, you can. The system has an AlertCenter module responsible for automated checks against the specified policies. The system will notify you if an unauthorized person performed any action with any file (reading, writing, copying, deleting, etc.) contained in a specific folder.
3. Control over the movement of confidential media (documents, files)
You can perform this with the help of DeviceController which allows you to limit the use of all media (for example, flash cards), except for the trusted one. You need to set a limit for all storage devices while trusted devices will be whitelisted by a unique feature.
Thus, you solve the task with the maximum convenience for employees: corporate flash drives work, and other media do not. Employees will also be able to connect their mobile phones to the computer for charging, buy they won’t be able to open the device for copying which excludes the possibility of phone viruses penetrating into the computer network. Moreover, encryption of the information on media reduces the risks in case of its loss, theft or attempted transfer to a third party. If a computer is not in the trusted list, the information will be impossible to read.
4. Control of information transfer channels
Speaking about a paper document, it will be enough to seal an envelope sent with a courier. The things are more complicated with the computer network where you need to protect all the resources with the stored information and all the channels which it traverses (wireless connections, email, network file resources, FTP, cloud services, etc.). Only a DLP can accomplish this task. The system should:
- Control the maximum number of channels used in the company. If possible, uncontrolled channels are better to block.
- Be tuned by competent trained experts. Otherwise, there is no point in controlling the transfer of confidential information by email if the half of the letters are "lost".
- Ensure an effective automated search in order to relieve security experts from the monotonous processing of logs and operating system events when investigating detected incidents.
- Be simple and intuitive so that an employee operating the DLP won’t have to reach the administrator or developer for help.
- Promptly detect negative incidents at the planning stage and prevent leakage in a timely manner.
5. Training of the staff who have access to confidential information
Here you can hardly come up with something new: it would be enough to develop instructions for handling equipment or systems that process confidential information, as well as the means of its protection. The company should inspect and encourage the observance of these instructions by employees, and punish the offenders. In addition, the company should inform the staff about the implementation of systems and conduct demonstration exercises. The likelihood of data leakage is lower when employees know that the tool allows tracking any document that moves through the corporate network.
For the record, initially "prevention" meant preventing leaks on a virtual perimeter by stopping it. Today the word means "preventing intentions". In other words, the best incident is the one that didn’t happen.