Freely subscribe to our NEWSLETTER

According to Verizon’s 2010 Data Breach Investigations Report, almost 49 percent of all data breaches in 2009 were performed by internal agents. This means that companies need to have a better understanding of the flow of data within their organization and must have proper checks and balances put in place aimed at mitigating a WikiLeaks-type breach. Here are four ways that organizations can better protect their critical data from internal agents.

1. Identify your attack surface: You must be able to identify critical data entry and exit points. Be sure to understand the data lifecycle, and from there create a control framework across the data lifecycle. The WikiLeaks threat was inevitable because the risk is there. However, the situation could have been controllable had the appropriate systems and actions been put in place.

2. Limit access: Bradley Manning was an army private who was working in Iraq as an army intelligence analyst. It’s understandable that he was allowed access to the U.S. Department of Defense server, but at an entry level, his access should have been severely restricted. Whatever happened to “need to know?” Simply put, there is no reason that he should have had access to that sheer volume of data. Be sure to have clear access and clearance levels that are being constantly monitored and updated.

3. Disallow data transfer devices: How was a rewriteable CD even allowed into a high-classified area? This is a rudimentary problem that should have been caught much earlier and can be easily corrected with the right rules and regulations such as no data transfer materials, like clip drives, burnable CDs, portable hardrives, etc., allowed whatsoever. Even if such devices are allowed to enter a compound, in a secure system there should be controls on the use of CDs, USB media and even print outs. There is no excuse for poor enforcement of rules and regulations and poor system configuration.

4. Plan for the new frontiers of mobility and cloud: Cloud computing and mobile devices introduce new possibilities for data breaches. How do you implement the right controls? For cloud, should you use a public cloud or a private cloud? How do you limit the attack surface of mobile devices? How do you audit the cloud and the use of mobile devices? The WikiLeaks breach has certainly forced organizations to reevaluate how they handle sensitive information. Organizations now need to take the extra step by looking towards the future and determining how they will address the proliferation of these emerging technologies.

Data leak prevention has been an ever-present challenge for organizations, and given the rise of mobile computing, cloud and virtualization, data security will become even more complex over the next decade. Organizations need to begin to strategy and build their data security policies based on these emerging technologies in order to stay ahead of internal and external threats. As a data security professional, the last thing that I would want is for my company to be named in a WikiLeaks announcement.