Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity

    How to Prevent Data Security Leaks Caused by Human Error

    By
    Angel Mehta
    -
    August 18, 2010
    Share
    Facebook
    Twitter
    Linkedin

      While malicious users are always on the minds of enterprise IT teams, employees who are sometimes just careless concerns IT teams as well. A recent spate of data leaks attributed to simple human error shows the critical role that data access plays in the protection of confidential corporate information.

      Earlier this year, for example, Google blamed human error as the cause of a major data leak it experienced within its Local Business Center (since renamed Google Places). A Google customer that invested in a listing with the search giant found that information on their listing, the search terms people used before clicking it and other related data was sent to third parties. There was nothing malicious about the act; Google describes the incident as an employee simply copying and pasting the information from one template to an incorrect one.

      But this does not nullify the damage done. If the information was sent to a competitor, for instance, Google’s customer would have been put at a serious strategic disadvantage and would have likely cut its ties with the search giant. Mea culpas don’t always work in the corporate world, as data leaks can fatally wound partnerships. Confidential files can be whisked around the globe in only a few clicks so it is imperative that enterprises safeguard their sensitive information from both malicious users and their own employees’ carelessness.

      Sterling-Hoffman’s data security strategy

      The central tenet of Sterling-Hoffman’s data security strategy is that any measure that allows employees to visually recreate documents is useless. Whether it’s copying information on the screen to another file or even snapping a photo using a camera phone, the battle is lost once malicious insiders have data on the screen. Despite this fact, enterprises cannot impose overly aggressive data protection policies because they then run the risk of inhibiting productivity, thus dulling their competitive edge. This is why we have implemented a comprehensive data security strategy that protects information at its source, as well as on primary communications channels, to prevent leaks.

      Enterprise Rights Management (ERM)

      Enterprise rights management

      The first component of our data security strategy is enforced using an enterprise rights management (ERM) solution. ERM allows Sterling-Hoffman to implement automated processes whereby access and usage controls are applied the moment a document is created. While encrypting every document may seem a bit onerous, our clients’ privacy is a huge concern in our business. There could be major professional ramifications if our customers’ superiors knew they were actively seeking employment elsewhere-not to mention stock market implications. For us, it’s better to be on the safe side and ensure the security of sensitive documents.

      Similar to many enterprises today, Sterling-Hoffman is fully engaged with the flat business world. Much of our work is both derived and delivered around the globe so our automated encryption tactics serve us especially well internationally. ERM provides files with enforceable access and usage controls to data that is sent from our corporate IT infrastructure to any other third party. Offshore offices and business partners are sources of major data leak vulnerabilities because many countries do not have the business and data security laws we enjoy in the United States.

      As it is impossible to monitor how our overseas partners work with the information we provide to them, ERM’s ability to limit how users are able to interact with data (for example, disallowing sensitive documents to be printed or copying/pasting information from one format to another) gives us an additional layer of security outside of pure access control.

      The Case for ERM

      The case for ERM

      Before we implemented ERM, a candidate we were considering for an open position walked into my office for an interview and opened up a binder that clearly contained one of our internal training documents-a highly confidential one at that. The candidate said that he had received the file from an overseas business contact of ours.

      This floored me because Sterling-Hoffman has always placed a premium on its data security practices and this was a major hole within our armor. I realized then that we couldn’t share any information overseas or with our partners in good faith until we could protect data at the information level. We began working with ERM shortly thereafter.

      ERM also helps address our third-party challenges by placing expiring access dates on sensitive information. This gives confidential information shared with partners, outsourcers and employees a shelf life and cannot be viewed by them-unless given permission from our IT staff outside of a set time frame. Former partners and employees simply cannot access or share data after their engagement with Sterling-Hoffman is over, which is a nice insurance policy.

      Regulating Use of Electronic Communications

      Regulating use of electronic communications

      The second part of our data protection strategy is the regulation of our electronic communications channels including e-mail and instant messaging (IM). For the latter technology, we use Symantec’s IM Manager to protect against IM-related data leaks. The solution requires our employees to apply for IM privileges, as well as go through an application process when they want to add a contact to their profile. This helps us provide the real-time communications tool only to people that need it within their job function or to others who have gone through a similar qualifying process.

      Open-source IM applications can serve as major data vulnerabilities because newer versions enable users to transfer files to others without having to pass through the corporate VPN or firewall. IM Manager gives us these assurances and enables us to address this emerging enterprise challenge.

      E-mail tends to be a trickier platform to manage because the company is so reliant upon it. Any overbearing policy instilled for e-mail can have serious productivity consequences so we try to keep our e-mail server rules rooted in common sense. Here are two basic ones I can share:

      Rule No. 1: We identify certain workgroups with certain file formats (for example, accounting with Excel) and prevent users from sending files in formats other than those with which they work. We’ve also fine-tuned this rule to include certain types of information included within e-mail messages. For instance, a marketing person’s e-mail would be disabled if they tried to send an e-mail message containing Social Security numbers or other Personally Identifiable Information (PII).

      Rule No. 2: We also disallow e-mail strings that have multiple reply prefixes (RE:). This type of message is often associated with malicious activities so we prefer not to expose our infrastructure to them.

      During the aftermath of economic uncertainty and massive layoffs, poor data security brings the risk of permanent damage to company viability and industrial competitiveness. The difference between market leaders and also-rans is razor thin, so it is more critical than ever to be able to control who has access to sensitive information. A thoughtfully layered security approach that protects information at the information level has proven effective for Sterling-Hoffman and has benefits for enterprises across all industries.

      Angel Mehta is Chief Executive Officer of Sterling-Hoffman Executive Search. Prior to Sterling-Hoffman, Angel worked in business development with CRM-software leader Siebel Canada where he established strategic alliances and managed partner relationships. Angel is also a leadership speaker who gives keynotes and motivational seminars at various business schools and conferences across North America. Angel is founder of the Enlightenment Project, an essay competition designed to foster self-awareness and leadership skills for children in Third World countries. Angel has a Bachelor’s degree from York University in Toronto. He can be reached at [email protected].

      Angel Mehta
      Angel Mehta is Chief Executive Officer of Sterling-Hoffman Executive Search. Prior to Sterling-Hoffman, Angel worked in business development with CRM-software leader Siebel Canada where he established strategic alliances and managed partner relationships. Angel is also a leadership speaker who gives keynotes and motivational seminars at various business schools and conferences across North America. Angel is founder of the Enlightenment Project, an essay competition designed to foster self-awareness and leadership skills for children in Third World countries. Angel has a Bachelor's degree from York University in Toronto. He can be reached at [email protected]

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×