Labels and Priorities
Knowing what the company owns—servers, computers, information—is the first step. Classifying and prioritising those assets is the next logical step. Putting security labels on information and documents is an old practice that has its roots in defence and government practices. The idea is that once a label is put on a document, the reader should know how to handle it.
Most commonly, companies opt to go for three- of four-step labelling categories. We like simplicity because it’s easy for the users to remember what the labels mean. An example of such a categorisation system would be:
Want to make it simpler? Just drop out the last “Secret” category. People often find three categories easy to grasp.
Those labels may be helpful in communicating to the reader how important the information is in each document, but the terms aren’t clear to everyone. Employees often have difficulty understanding the difference between internal documents and confidential documents. They aren’t sure which documents should be sent to employees and which to partners. They can’t decide whether to give an internal document to a consultant. Even top executives and security managers struggle with making a distinction between what should be labelled “Confidential” and what’s “Secret.”
The best solution is to have a simple rule about labelling things like documents, emails, faxes, and other information. Give employees clear if-then statements: If you’re giving internal or confidential documents to somebody, make sure they have a working non-disclosure agreement in place with the company. If you create documents and give them to someone else, label them yourself. If the document has confidential information, place the word “Confidential” in the header or footer. You’ve probably seen the disclaimer clauses in many official email footers. It’s the same thing but with a bit of legal jargon to spice it up.
A simple trick is to make official document templates in Word and PowerPoint with “Confidential” or “Internal” labels already present on the documents by default. Then, when employees use company’s official templates, they’ll open up with the default label already there. People will make mistakes anyway and won’t pay a lot of attention, but at least you will have a default label on the documents. One more idea—add a unique innocent-looking identifier to the footer of your document templates. Something that’s unique to only you. If there’s a data breach, you’ll be able to search for that identifier by using a breach monitoring service.
Manual process of labelling information will fail at some point. Any information that’s crucial for making money and growing the business, or trade secret information that could be harmful if leaked or damaged, should be secured pretty well. That costs money and time, of course, and should include things like data encryption if it’s being sent over the network to other people. You might want to look into things like email encryption, data loss prevention, and related technologies. Yes, more securely stored data means that it’s going to be harder to access, even for the people who actually need it. That’s the double-edged sword of securing data by encrypting it.
One more thing that companies should keep track of under information and asset management is licence management. Many products and services that companies use are governed by a licence agreement. If that licence agreement is violated, there could be serious consequences, including fines and penalties.
Unless a company practises good licence management, they may be overpaying for too many licences or underpaying for not enough. If the company is underpaying, a whistleblower could turn them in and get a reward. Say you’re working for a major corporation that you know isn’t paying their Adobe Illustrator licences for 500 users. Whoever tips off Adobe could get a fat check in the mail as a whistleblower. And yes, there are service providers who sell this as a service and pay for the whistleblowers.
Companies should monitor their licences diligently. Treat them like other assets in the information and asset management system.
A Market for Secrets
Good asset management extends to the point when a company gets rid of old assets. It’s not just buying and managing what you own but also about destroying it securely after you don’t need it anymore.
There is a market for secrets, and criminals use all kinds of illegal means to access and obtain secret information that can be sold. In the news recently, an e-waste recycling company got busted when it turned out that certain employees at the company were stealing hard drives out of computers that were supposed to be destroyed, and then harvesting the data for sale.
There are also many stories of dumpster diving criminals who steal paper documents out of the trash. This happens to many different types of organisations—like healthcare companies who were dumping customer records with medical info by the lorryloads, until someone found them. Dumpster diving is still very effective in this modern age.
Security against these kinds of attacks doesn’t have to be complicated: get a decent shredder for a thousand dollars. Pay for a good one. Not only should it process without jams, but it should process CDs and DVDs, plastic binders, and paper and do cross-shredding. It should be up to the task with a big container suitable for commercial office use. Place shredders where paper is used a lot and where sensitive data is being handled—where people use the papers—printer rooms, the offices of the HR department, and so on.
To guard against hard drives getting stolen from the e-waste recycling plant, use full disk encryption on all devices—mobile phones, laptops, and desktops. After the computer boots up, the first thing it does is decrypt the hard drive. If the thief doesn’t have the password, he cannot read the data. If he removes the hard drive and tries to read it with a special device or another computer, all he’ll see is scrambled data.
Encryption of the entire hard drive can be enabled in Windows, on Macs, or on Linux operating systems quite easily. Hard disk encryption used to require specialised software, but it’s now available out of the box and simple to put into use. There is no reason not to use data encryption on all of the devices your company has. Have this requirement in your policies and include steps to do it in device management procedures.
Finally, we have an example of a company that was leasing printers. Modern printers have mini servers with operating systems and memory; quite often, it’s a simple Linux server. Every time someone prints a document, that information is stored in the printer, including things like employee agreements, business agreements, lists, graphs, trade secrets, and internal presentations—just to name a few. And that information will be stored on the hard disk of those printers. This company was leasing printers, and once the lease ended or they replaced a device, criminals stole the information from the hard drives of those printers. None of those devices had any encryption or data wiping features on them. The data was still there. (Data that is deleted from the hard disk is not usually gone. It’s just marked as free space. Getting the data back is just a matter of reading the disk with specialised software and restoring the files.)
An organised criminal gang could go into the recycling business, start buying used printers, then harvest valuable information off the hard disks. The thief could be anybody; it might be a custodian or a maintenance person, or anyone who has a hobby of hacking information and frequenting dark web forums looking to trade secrets for money. And this has happened many times over already.
There’s truly an economy out there for secrets.