Data loss by the drip

I got an email early last week from a friend and customer, asking for help with a phone system issue. I told her I needed to access the system remotely, and she promptly emailed me back the remote login information for her network. It was a plain-text email that could have been easily intercepted and used by someone else to break into her network. 

In the modern world of electronic communication, including email, SMS, Twitter, insecure Web apps, etc., we think nothing of dashing off a quick message to someone with key information. We assume that it is a private communication that only the recipient will see, so we don’t think much about controlling its content. As fellow Computerworld contributor Bill Rosenthal aptly puts it in “You said, tweeted, texted, instant messaged, posted, shared, liked, emailed what?!?,”  “Whatever we send out electronically lives forever, everywhere.” 

By the power vested in my by Computerworld, I will hereafter refer to this phenomenon of small, unnoticed losses of key information and intellectual property as Seeming Trivial Data Leakage, or STDL. The most concerning aspect of STDL is that, while each loss incident is small, the losses are so frequent that they can fill a bucket in no time. 

In “Closing the data floodgates,” I discussed the issue of data leakage, and mentioned a variety of systems that can automate the stripping or masking of key information. These systems work well for known data elements and structured messages. They do not, however, offer good protection against free-form information such as what my friend emailed to me. As such, even an organization that is otherwise doing a good job protecting against major data leakage probably still has a significant issue with SDTL. 

I don’t think the issue of SDTL is related to ignorant or uncaring users. I think the cause is that our forms of communication are so casual that we don’t even consider the consequences. In a recent study by Intel Security, 43% of data loss is due to employees, with half of that being accidental. 

I was working with a PCI auditor a few weeks ago who thought nothing of emailing me key compliance data via unencrypted attachments. I am sure his training taught him otherwise, but he thought nothing about the possible consequences when doing a quick, casual message. 

You won’t have to think long and hard to come up with a list of items that make up SDTL: 

• User names and passwords
• Attachments with confidential or proprietary information
• Internal Web addresses
• Security certificates
• Encryption keys 

Looking back at the above list, I have certainly been guilty myself. It was not that long ago I would email passwords to customers without thinking twice about it. 

So how do we combat STDL without an intelligent system to look over our shoulder?  Here are some thoughts:

It starts with user awareness

The issue of including confidential information is casual communication must be part of your user awareness training. As I said, this is a problem most people don’t even think about. You need to make sure they do think about it. 

Make encryption user-friendly

When sending messages containing confidential information, encryption is our friend. Many companies mandate its use, but I have encountered very few that make the process user-friendly. You should find a means of making sending an encrypted message just as easy as sending one with plain text. There are a variety of systems that help with this, with Virtru being a good example. 

User a secure transfer system

When I send confidential information to customers. I have adopted the approach of putting the information in a document, and sending the document via a secure file transfer system. I often use Citrix ShareFile for this purpose, although it can be a bit pricey. It sends the recipient a secure download link, and can be set to force a login just to make sure nobody else grabs the file. Some systems have the advantage of letting you send someone a link allowing them to send you a file securely. 

Monitor messages

I have been required on many occasions to monitor traffic on a corporate email system. Honestly, I don’t enjoy the process. I always feel like I am invading someone’s privacy. That being said, we warn employees that business email is subject to monitoring for a reason, and not just as a check-off to satisfy corporate counsel. The only way to know what is traversing an email system is to read some of it. When you find a message with content that was not properly protected, use the occasion for education, and not discipline. 

Forbid personal email accounts

Unless you are living under a rock somewhere, you are aware of the controversy surrounding Hillary Clinton’s “private” email server. The issue has been valuable in that it has served to remind the rest of us about the dangers of bypassing the corporate communication systems. While you can’t monitor personal employee messages on an outside system, you can make it clear that putting company information on such a system is a major offense, even subject to termination. 

Block unauthorized Web apps

Online applications such as Box and Dropbox can be of great benefit, but if an employee puts company data on such a system in an insecure manner, that information can exposed to the outside world. Since we cannot control user behavior well, it is often possible to block the use of such apps at the firewall. This may result in a few irate users, but your data will be much better protected. 

Bottom line: With all of the focus on major data breaches, don’t overlook the daily drip, drip, drip of STDL.