Three places that leak sensitive business data.

Posted on Thursday, September 21, 2017 and filed under Articles

Imagine seeing someone from your organization leaving the office holding a stack of sensitive business documents for no known purpose. Chances are, you’d want to ask some questions about where the information was going and what this person planned to do with it. You might even stop them from leaving with the documents in hand.

A scenario much like this happens daily in today’s work environment. But you can’t always see information leaking from your workplace thanks to popular technologies. As well, leaks happen much more quickly, often without your knowledge.

A leading risk for organizational leaders is that with many workplace technologies used today, there is limited visibility and control over where company information actually ends up and where it can go with no way to get it back. Meanwhile, the technologies that rapidly distribute company information are used widely and commonly.

The problem with this is that after you lose control over company information, you’re still responsible for what happens with it. One worst-case-scenario example is that someone shares something sensitive with people who shouldn’t see it — like online publically or with a competitor. Health information, identifying info, payment info, trade secrets, confidential employee information, financial information, HR discussions and other sensitive material can be damaging and grounds for legal action depending on the nature of a leak and your industry. You may also be held responsible for unknowingly storing sensitive data somewhere your industry regulations don’t allow you to store it.

So where is your information leaking from? And what can you do about it?

Here’s a look at three common places where leaks happen — and some solutions for your business.

Messaging Services

People frequently use the consumer-grade messaging services they’re comfortable with to communicate about business. For example, Skype’s file-sharing tool is convenient when meeting with people who work remotely.

But did you know that by default, Skype automatically copies and saves messages and shared files onto the device it operates on? What this means is, when someone uses the same account at work and at home, those files and conversations can be automatically copied to an employee’s personal device, and any other device an account is accessed from outside the protection of the workplace network.

What can you do?

• Implement policies within your workplace about which technologies are OK for your employees to share information with and which are not.
• Limit sensitive work conversations and document sharing to business-grade software with the appropriate permissions and sharing controls in place.
• For Skype, turn off auto-saving. (Skype Desktop App > Tools > Options > Privacy Settings > Keep history for). Under >keep history for, select ‘no history’. These privacy settings will only apply to your account and not the accounts of the people you are having conversations with.

Consumer Grade Cloud Storage & Synchronization Services

Cloud storage and synchronization services like Apple’s iCloud, Microsoft’s OneDrive, DropBox and Google Drive make it easy for people to access their files from any device and share with others. Cloud storage solutions can be particularly appealing to small and medium sized businesses since many come in a freemium model that offers limited storage space to users at zero cost.

But the problems with synchronization and cloud storage services in the workplace is that these third-party services first transport information to servers you don’t own and then have the ability to distribute and download this information onto any device an employee account logs in from.

As well, sharing features and permissions enable anyone who is invited to view, download, or modify files. And because these permissions are managed by individual end users rather than being company administrated, they are difficult to control and can be more vulnerable to user error. Not everyone in an organization will be tech savvy and sometimes it can be easy for information to be accidentally shared with broad groups of people with no way to retrieve it.

A recent security report from Symantec noted that 25% of company information is broadly shared using cloud software.

What can you do?

• You can disable third-party synchronization services and implement your own. By setting up your own private cloud, employees can still work from anywhere but the work will be stored in a location that you own and control while only providing approved devices with remote access to your information.
• If you chose to use a third-party cloud-based solution for your business, upgrade to an enterprise-level solution that allows you to be in control over who sees what information.
• If you must use third-party cloud-based storage services, consider disabling the local synchronization feature and only work off of the document from the cloud. This will ensure that no files are left on your laptop in case it gets lost or stolen.

USB Sticks

USB sticks are pocked-sized digital storage devices that many people use in the workplace to transfer files between devices or store backup copies of company files. But their tiny size can make them easy to lose track of. Even though encrypted USB devices and devices that require end-user authentication to access are available, many companies choose USBs with no added security, meaning anyone who picks one up can plug it into a computer and access or copy what’s on it.

What can you do?

• Disable USB ports on your workplace computers.
• Instead, use a controlled central file storage location location, like your own server or private cloud, that gives authorized users the ability to view and access their files from any approved device.

Author Jim Stackhouse is the founder and president of NeoLore Networks Inc., an Ottawa-based technology services company that designs, implements, manages and maintains computer networks for small and medium sized businesses.