• United States




Data loss by the drip

Sep 22, 20155 mins
Data and Information SecurityEmail ClientsEncryption

The dangers of seemingly trivial data leakage

I got an email early last week from a friend and customer, asking for help with a phone system issue. I told her I needed to access the system remotely, and she promptly emailed me back the remote login information for her network. It was a plain-text email that could have been easily intercepted and used by someone else to break into her network. 

In the modern world of electronic communication, including email, SMS, Twitter, insecure Web apps, etc., we think nothing of dashing off a quick message to someone with key information. We assume that it is a private communication that only the recipient will see, so we don’t think much about controlling its content. As fellow Computerworld contributor Bill Rosenthal aptly puts it in “You said, tweeted, texted, instant messaged, posted, shared, liked, emailed what?!?,”  “Whatever we send out electronically lives forever, everywhere.” 

By the power vested in my by Computerworld, I will hereafter refer to this phenomenon of small, unnoticed losses of key information and intellectual property as Seeming Trivial Data Leakage, or STDL. The most concerning aspect of STDL is that, while each loss incident is small, the losses are so frequent that they can fill a bucket in no time. 

In “Closing the data floodgates,” I discussed the issue of data leakage, and mentioned a variety of systems that can automate the stripping or masking of key information. These systems work well for known data elements and structured messages. They do not, however, offer good protection against free-form information such as what my friend emailed to me. As such, even an organization that is otherwise doing a good job protecting against major data leakage probably still has a significant issue with SDTL. 

I don’t think the issue of SDTL is related to ignorant or uncaring users. I think the cause is that our forms of communication are so casual that we don’t even consider the consequences. In a recent study by Intel Security, 43% of data loss is due to employees, with half of that being accidental. 

I was working with a PCI auditor a few weeks ago who thought nothing of emailing me key compliance data via unencrypted attachments. I am sure his training taught him otherwise, but he thought nothing about the possible consequences when doing a quick, casual message. 

You won’t have to think long and hard to come up with a list of items that make up SDTL: 

  • User names and passwords
  • Attachments with confidential or proprietary information
  • Internal Web addresses
  • Security certificates
  • Encryption keys 

Looking back at the above list, I have certainly been guilty myself. It was not that long ago I would email passwords to customers without thinking twice about it. 

So how do we combat STDL without an intelligent system to look over our shoulder?  Here are some thoughts:

It starts with user awareness

The issue of including confidential information is casual communication must be part of your user awareness training. As I said, this is a problem most people don’t even think about. You need to make sure they do think about it. 

Make encryption user-friendly

When sending messages containing confidential information, encryption is our friend. Many companies mandate its use, but I have encountered very few that make the process user-friendly. You should find a means of making sending an encrypted message just as easy as sending one with plain text. There are a variety of systems that help with this, with Virtru being a good example. 

User a secure transfer system

When I send confidential information to customers. I have adopted the approach of putting the information in a document, and sending the document via a secure file transfer system. I often use Citrix ShareFile for this purpose, although it can be a bit pricey. It sends the recipient a secure download link, and can be set to force a login just to make sure nobody else grabs the file. Some systems have the advantage of letting you send someone a link allowing them to send you a file securely. 

Monitor messages

I have been required on many occasions to monitor traffic on a corporate email system. Honestly, I don’t enjoy the process. I always feel like I am invading someone’s privacy. That being said, we warn employees that business email is subject to monitoring for a reason, and not just as a check-off to satisfy corporate counsel. The only way to know what is traversing an email system is to read some of it. When you find a message with content that was not properly protected, use the occasion for education, and not discipline. 

Forbid personal email accounts

Unless you are living under a rock somewhere, you are aware of the controversy surrounding Hillary Clinton’s “private” email server. The issue has been valuable in that it has served to remind the rest of us about the dangers of bypassing the corporate communication systems. While you can’t monitor personal employee messages on an outside system, you can make it clear that putting company information on such a system is a major offense, even subject to termination. 

Block unauthorized Web apps

Online applications such as Box and Dropbox can be of great benefit, but if an employee puts company data on such a system in an insecure manner, that information can exposed to the outside world. Since we cannot control user behavior well, it is often possible to block the use of such apps at the firewall. This may result in a few irate users, but your data will be much better protected. 

Bottom line: With all of the focus on major data breaches, don’t overlook the daily drip, drip, drip of STDL.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author