5 places your data goes to hide
From autosaved spreadsheets to test systems using real data -- CISOs warn of five oft-overlooked sources of data leaks
By David Geer
January 14, 2013
"Information wants to be free" is a gross understatement.
Enterprises blanket their systems with security in the attempt to saturate every data repository with protection. Organizations affirm the logic of layering everything from access management to security zones to safeguard information assets. Yet, somehow, data still leaks. Real world exposure occurs virtually on a day-to-day basis.
Advanced malware attacks get a lot of ink, but careless employees, incomplete policies, and the invasion of consumer technologies create plenty of risks as well.
Here are five places where data sometimes avoids the protective eye of security systems and policies.
Let's start with the most obvious hiding place: Spreadsheets.
Spreadsheets contain fun, variegated, and often sensitive data sets: financials, credit card numbers, HR data. This, you knew.
When enterprises neglect security measures such as passwords and share these files via email, file shares and collaboration suites, that data could end up anywhere. Employees endanger spreadsheet data when they connect away from the office to the less secure home and hot spot networks. Lost or stolen laptops, USB keys, DVDs and smartphones expose the files when security plans neglect disk or file level encryption, or both, says Craig Shumard, CISO emeritus, CIGNA.
Meanwhile, back at the office spreadsheets are still falling victim to low-tech exposures such as when employees print them out and leave them lying around.
In one example, shared by a former travel booking industry executive, a good employee with the best of intentions together with poor security put critical data in a bad position. "We found out one of our payroll people had dumped a bunch of data into a spreadsheet and saved it on a laptop, which was stolen. The disk was not encrypted," says Ed Bellis, former CISO of Orbitz. In this particular instance, nothing came of it, says Bellis, but something certainly could have.
So spreadsheets like to wander. This you also knew.
"Spreadsheet" for most enterprises used to refer to Microsoft Excel (unless your career goes back to the Lotus 1-2-3 era). Today, of course, there is a handy cloud-based spreadsheet tool in Google Docs. (More about file synching services in a moment.) So hunting for errant spreadsheet data means looking in more and more places.
Hopefully you knew that too.
But have you also considered that even unattended settings may leave gaping security holes as well?
"If you don't take into account how your AUTOSAVE settings are configured in Excel, the application can create a shadow copy on your local machine, open to anyone who can get to it," notes Adam Gordon, CISO of New Horizons Computer Learning Centers.
SharePoint is Microsoft's file sharing/collaboration/content-and-project-management tool. "SharePoint is capable of handling more than 200 file types out of the box without any customization," says Gordon.
Imagine the data it can unleash.
Enterprises use this popular application to enable data sharing outside the organization. And if access controls and other security essentials are lacking, these installations can leave data unguarded. When the enterprise doesn't establish consistent policies about permissible SharePoint data, when transferred or terminated employees retain access to the application, or when the enterprise permits remote access, critical information can end up 'in the wind'.