Data Protection, Humans and Common Sense

Data Protection … Keeping it simple.

Data Theft Prevention for the SME.

It is about common sense not software !


Do you have important data on the computer ?

• Customer Information

• Technical Drawings / Source Code

• Financials / Employee Information

• Marketing / Contact Information

• Quotations / Agreements / Contracts

• Personal Information


• Loss of Business

• Financial / Revenue Losses

• Productivity Losses

• Intellectual Property Losses

• Loss of Reputation

• Legal Liabilities

What will happen if the data gets stolen ?


Cause of a Data BreachRoot Cause of Data Breach

36%

29%

35%Malicious or CriminalAttack

System Glitch

Human Factor

Data Breach Study 2013 – Ponemon Institute


Higher Risk of insider Data Theft.

• Sudden resignation of employee / partner

• Employees joining competitors

• Family relations in competing company

• Staff starting their own similar business

• Employees being layed off / fired


Some Possible Signs of Data Theft

• Request for purchase of USB Pen Drives

• Working when no one else is there

• Personal Devices being brought to office

• Your information appearing in the public domain

• Identical Products and all your customers being contacted suddenly


• Physical Theft

• Print Outs

• USB, CD/DVDs, Hard Disks

• Laptops / Tablets / Smart Phones / Mobiles

• Internet / Remote Access / Messengers

Common Ways of Copying Data


Industry Wise Data TheftDistribution

17%

14%

14%

12%

11%

9%

8%

3%

3%

3%2% 2%1%1%

Financial

Public Services

Retail

Services

Consumer

Industrial

Technology

Communications

Hospitality

Pharmaceuticals

Transportation

Energy

Healthcare

Media



Costs of Data Breach

• Number of Records Breached : 26,586• Cost of Data Breach : Rs. 5.4 crores• Average Notification Cost : Rs. 12 lacs• Average Cost of Lost Business : Rs 1.5 crores



Legal Liability Cost

• IT Act. (2008) – 43A :

Compensation for failure to protect client data

can be up to 5 crores.


Legal Liability Cost

• IT Act. (2008) – 72A : Punishment for Disclosure of Information in

Breach of Lawful Contract. – Imprisonment of 3 years and/or a fine up to

Rs. 5 lacs.


So now what ?Do not think ‘software’ only ... Think first what happens to data in office.


• Where is your data stored ?

• Which information is considered sensitive ?

• Who has access to it ?

• Do all PCs require all the data ?

• What about data on portable storage ?

Do you even know what data you have ?


Data Theft without software. (1)

• Education of employees / contractors about IP / Company Data / Customer Data

• Agreements and Understanding of Non Disclosure

• Strict Action to non adherence of company policies


Data Theft without software. (2)

• Secure Physical Devices / PCs / Laptops

• Secure Offices Portable Storage Devices (USB , CD/DVDs)

• Who can sit on which computer

• Disallow Unauthorized Devices/PCs if possible.


• Archive / Backup Data not being used

• Delete Data not being used

You can not steal what is not there..!!


What about inventory ?

• How many PCs / laptops ?

• What is the h/w configuration of each PC ?

• What is loaded on each PC - OS, software and data. ?

• Inventory of removable / portable storage.

• Inventory of portable modems.


• Do you have a Server ?

• List of Machine Names / IP addresses

• Does everyone have user name / passwords

• Do you allow Remote Access ?

• Wifi / Wired ?

• Internet Connection Single Entry ?.

What about the basic network ?


• No empty / default passwords

• Passwords should expire

• Strong Passwords

• No Common Passwords.

• Privileges / Account Deletion

• Remote Access

User Account Policies Dynamite against data theft.


• No SSID Broadcast

• No Wireless Configuration

• MacIDs

• User Name / Password Security

• Change Default Password

Reckless Wireless Routers.


• Anti Virus / Anti Malware / Anti Spam / Anti Phishing Software

• Regular Updates of AV / Operating Systems

• Regular Patches of OS and Software

• User Access / Privilege Management

‘MUST’ Software


But Anti Virus is NOT enough to stop employees stealing data !


Stepping towards Basic DLP.

• Internet Access Control– Websites, Protocols, Firewalls, Proxies

• Device Control– USB , CD/DVDs, Modems , Blue tooth

• Upload of Data– Browser Based Uploads

• Encryption


Humans, Common Sense and Policies !

It will surely help – all the best !