Recent news that a former BlueScope Steel software development manager has been accused of downloading a trove of company documents over a four-year period before being made redundant, should have board level executives at all organisations concerned.
BlueScope Steel is the latest in a long line of companies to experience a serious data breach as a result of corporate espionage.
In another example in the US, ride sharing service Lyft is suing a former employee for allegedly stealing secret documents before joining rival Uber.
Lyft’s former chief operating officer, Travis VanderZanden allegedly downloaded private financial and product information before leaving the company to become Uber’s vice president of international growth.
But the poster child for employee data theft is of course Edward Snowden, a former US National Security Agency (NSA) employee who gave journalists access to thousands of the NSA’s classified files.
These examples highlight how common data breaches are in today’s corporate world, emphasising the consequences for organisations that don’t take cyber security seriously.
Businesses that experience a serious breach without the right technology and culture in place, risk losing valuable Intellectual Property (IP) and management attention being distracted from core business activities, potentially leading to a reduction in profit.
Indeed, businesses that are the victim of a breach face higher costs as management invests in forensic services to attempt to uncover the data that was accessed without authorisation. There are also reputational issues when a data security breach receives mainstream media coverage.
These are just some of the reasons why it’s essential for businesses to prioritise data security as a critical issue. So now I have your attention: what do you need to do to help stop a breach?
One of the key steps businesses must take is to invest in technology that reduces the risk of a data breach. The best solutions will be able to lockdown data by removing points of access to information, for example by ensuring staff can’t use thumb drives to save information from desktop and laptop computers, as well as smart devices or email valuable documents to home accounts or to third parties.
Businesses must use solutions that allow them to control high value IP and prevent it from leaving the business. The system must stop staff from being able to access other users’ passwords, as well as draw on encrypted data to validate user credentials.
Ideally, the system should be configured so that security is embedded in documents through technology such as Information Rights Management (IRM) which protects data inside and outside the enterprise perimeter.
It’s also important to introduce protocols such as Single Sign-On (SSO), Identity and Access Management (IAM), and Multi-Factor Authentication (MFA) technologies. The idea is to ensure employee identity is the organisational perimeter for information, rather than the business’s firewall, especially given how prevalent remote working has become.
Aside from investing in cutting-edge technology, there are a number of other steps businesses can take to reduce the risk of their data being compromised.
The first step is to categorise data, determining what’s critical, as well as the information that is not as sensitive and commercially critical – one size does not fit all. Then, it’s important to develop an access strategy so there are clear guidelines about the right access levels for different roles in the business.
Finally it’s essential to have the correct policies and procedures around information storage and access. This involves ensuring employment contracts include clear guidance about how seriously the business takes data security and the consequences and penalties of breaching data security rules.
Clearly documented guidelines around information storage and retrieval are only part of the correct data security infrastructure businesses need. Ongoing education and training about issues, such as not sharing passwords or logging on as another employee, ensures data security remains top of mind for staff and reduces the risk of a data breach. An annual attestation is not enough, continued reinforcement is essential.
Good data security requires ongoing vigilance by organisations, involving a combination of current technology, robust policies and procedures, and a commitment by management to this issue.
It is likely that legislation will be enacted in 2016 requiring certain organisations to notify the Privacy Commissioner should confidential customer data be accessed, as well as large fines for businesses found to have experienced a data breach. So now is the time to act to ensure the business has the right tools to protect its data, as well as a culture that inhibits data leakage.
Daren Glenister is field CTO of Intralinks.