Recent cybersecurity articles in Strategic Finance have discussed how to protect data from outside attack using firewalls, malware detection, and other information technology (IT) controls. Now consider the threat of “data leakage,” the unauthorized removal of sensitive corporate information, usually by deliberate employee actions or security lapses that allow unauthorized access to data. The 2015 State of File Collaboration Security study conducted by Enterprise Management Associates (EMA) on behalf of file security company FinalCode, as published on http://bit.ly/1ZhCr3j, indicates data leakage is a greater problem than hacking. While not as attention-grabbing as data breaches, data leaks can be just as devastating to the organization.
Protection of your organization’s data should balance requirements for availability, integrity, and confidentiality of the data with the risk associated with different types of data (see “Security Is All about Risk”).
Like fraud, data leakage can occur from a combination of opportunity, motivation, and rationalization (commonly known as the fraud triangle). Internal controls to prevent data leakage focus on reducing the opportunity. This article will address several types of data leakage controls along with considerations and questions for management accountants in evaluating them.
Access Control. The basic level of data leakage control is limiting access to buildings, offices, networks, and workstations. Access control means always knowing who is in your business—including the parking lots and other areas around your buildings (wireless signals can go outside your physical perimeter and be amplified). Everyone needs some form of authorization to be on the business property. Typically, the biggest vulnerability for unauthorized access is visitors entering the building right behind employees without being challenged (“piggybacking”). Visitors need to be identified, logged in, and escorted. For a small or medium-size enterprise, a person working at the front desk is a simple way to control access.
Access to sensitive areas such as accounting and IT should be limited based on need-to-know rules to protect physical (cash, check stock, servers, and laptops) and data assets (payroll records, health insurance, payable information, bank information).
Network Architecture. Inside the security perimeter, the design of your network can further limit opportunities for unauthorized access to sensitive data. Network architecture can include both the physical layout of servers and computer workstations and their connections. For example, some organizations doing electronic banking isolate authorized workstations from the general network to minimize threats. Similarly, access to the network can be controlled by smart cards or tokens to unlock workstations and log in authorized users.
What are the access points for your network, and how are they controlled? Can a “guest” log into your proprietary network? Is appropriate security installed on wireless routers? Can employees bring in outside devices and add them to the network?
Are there controls to prevent unauthorized hardware and software installation? These controls can include “whitelists” of approved applications, periodic system scans to identify unauthorized software or workstations, imaging for control of configuration, and maintaining up-to-date software. A simple periodic inspection of the computer hardware will help find items such as a key logger or other prohibited equipment.
There should be controls on data downloads and storage to guard against leakage. Data on laptops and other portable devices should be encrypted. Consider putting limitations on removable media (e.g., thumb drives), including types of data that can be stored and encryption requirements. Best practices favor use of remotely accessible cloud-based storage over maintaining copies on individual machines or media.
What restrictions are placed on Internet access (if any)? In addition to the risk of downloading malware or unauthorized applications, open Internet access can affect productivity through easy access to nonwork-related sites including news, sports, or games. It also increases the risk of inappropriate use of company computer assets for sites such as outside businesses, gambling, or adult sites.
E-mail and Social Media. These two present a special challenge in data leakage control. Many organizations block access to social media sites and Internet mail (such as Gmail) to control unauthorized disclosure of sensitive information and to prevent malware. Within an internal e-mail system, data should be protected based on limited expectations of e-mail privacy. Sensitive information should be properly labeled and encrypted. Sensitive employee or customer information, such as someone’s Social Security number (SSN) or taxpayer identification number (TIN), should never be distributed via e-mail.
A Culture of Security. Data security starts with the tone at the top, so ensure there are written policies regarding the protection of organizational data. Areas to cover include appropriate use of computing assets, including networks and workstations; organizational data protection; appropriate use of e-mails, including handling of sensitive data; and Internet access rules.
Training. Hold formal training for all employees on the importance of data security, the risks to the organization, and employees’ responsibilities for security. There are many Internet sites that provide low-cost training. A Google search of “Security Awareness Training” will provide a list of websites, including www.securingthehuman.org, sponsored by the SANS Institute.
Monitoring. Compliance with data security policies should be validated by periodic tests and audits. One organization performed checks for unattended and unlocked computers. Auditors checked workspaces at various times and tagged noncompliant computers, noting what information was visible on the screens. The statistics of how many people left computers on, and a list of what was on the computer when it was audited, were posted internally, promoting discussions about the risks and improvement opportunities.
Another aspect of monitoring is watching for indicators of motivation for data leakage. Managers and HR should eliminate access for employees who have been terminated or have resigned. Current employees who persistently ignore or violate data leakage controls should be counseled or disciplined.
Preventing data leakage is a continuous process that is vital to your organization’s well-being and safety. Essential controls can be relatively easy to understand and implement, including policies, monitoring, and training for data security compliance. Management accountants can help articulate the risks and help prioritize appropriate organizational responses.
Disclaimer: The opinions expressed here are the authors’ and don’t reflect the opinions of their respective past or present employers.
SECURITY IS ALL ABOUT RISK
Not all data represents equal risks of unauthorized disclosure or loss of data integrity. Some considerations can include data’s impact on:
- The financial integrity of the company and the company’s ability to carry on business,
- The reputation of the company in its industry and marketplace, and
- Protection of critical information of its employees and customers.
Consider this hypothetical hierarchy of data in an organization:
Level 1 (lowest risk). Public information, such as marketing, public relations, and general industry information. Having that information freely available is generally a good thing to support additional business. Protection is still required to ensure that the data is available, accurate, and hasn’t been tampered with.
Level 2. Regulatory disclosure information, such as Securities & Exchange Commission (SEC) reports, environmental filings, and industry-specific requirements. Laws and regulations put a premium on accuracy, completeness, and timeliness of data. The data is available in accordance with applicable regulations.
Level 3. Internal business and operations information. Supplier and vendor information, sales information, trademarks, patents, and internal processes. Unauthorized disclosure can have serious business consequences. Unavailability of data can disrupt operations.
Level 4. Customer sensitive information, such as debit or credit card information, financial institution information, contractually protected proprietary information. Compromise of this information damages reputation, and remediation can be very expensive.
Level 5 (highest risk). Employee information, such as Personally Identifiable Information and Health Insurance Protection and Portability Act (HIPAA) health information. In addition to the stringent legal requirements that have been set up to protect this information, protection of this information is essential for the safety, security, and well-being of your employees.
As the levels increase, more safeguards are required to protect the information and limit the damage from loss or corruption.
January 2016