Continuing to develop the topic of data security in an enterprise, today we will talk about how to ensure non-disclosure of trade secrets. Namely, what needs to be done to prevent information leakage.
We can divide the overall work on the preservation of information into two areas:
- Protection against external intrusion to steal information.
- Protection against internal theft committed by a company employee for personal gain.
Do not underestimate external threats, even if the company, in your opinion, is small and does not promise big profits to attackers. Position “Who needs us?!” often leads to negligence in security matters and quite logical consequences.
Recommendations for repelling external threats:
- Do not provide access to BackOffice from the outside world without a password. Access without a password should be impossible for everyone, and the company's management in this matter should not be an exception, but an example for other employees.
- Do not provide access from the outside world to BackOffice applications that are not sufficiently tested for security (for example, 1C). Close such connections with VPNs or other types of connections that authenticate the server and client side, preferably using asynchronous encryption based cryptosystems.
- Observe the anti-virus protection rules described in the previous article
Recommendations for preventing information theft by company employees:
- Use access to BackOffice only with authorization, provide for the absence of the possibility of any anonymous access (unfortunately, this point is neglected very often).
- Use a BackOffice software that allows you to log all operations of all users, as well as to differentiate access to records in the database at the level of access rights. It is not recommended to use interface restrictions, because they are, in fact, just a defense against a lazy fool. If the employee is not a fool, or lazy, and he has the intent to steal, then such restrictions will not prevent information leakage.
- Use additional software at workplaces that allows you to control all user actions and, again, log them. Including jobs to the printer, copied files from removable media and copied to removable media, copied data over the network (to keep copies of files). These are quite specific programs, and they are paid.
- Take away the rights of the local administrator on the operating system where the employee works so that he cannot turn off the activity control systems.
- When an employee is admitted to BackOffice, take a non-disclosure agreement for trade secrets obtained in the course of performing job duties. This will not save for sure, but it will stop most of the attackers, since the responsibility under the Civil Code of the Russian Federation is huge, which should also be recalled in the document being signed.
As you can see, protection against external threats is really less time-consuming and it is much easier to build it. But to protect against the malicious intent of an employee who has access to data on duty is much more difficult and expensive. In companies employing 30-50 people, for these purposes there should already be a dedicated employee who holds the position of an IT security officer, or combines this position with the position of an IT specialist. He must have non-trivial knowledge and sufficient time to maintain control systems in working order and to monitor (selectively, of course) what is happening. And even here there is a "weak link" - the IT security officer himself. Therefore, we must not forget that the key to the success of the company, its main asset is qualified employees.
System Administrator LLC offers its customers the Security Administrator service to prevent information leakage from the company.
Regards
The team of System Administrator LLC