Currently the main mean of documents exchange is electronic document flow. No one can deny this fact. But at the same time necessity of proper organization of these documents according to their sensitivity and of providing security of classified documentation appears. Problem of documents classification is not less important than their security. Incorrect data classification can result in different additional expenditures of your company. It is concerned not only with additional time that will be required for documentation classification in future but with additional hardware resources. Classified data can be easier provided with required security level depending on sensitivity level. But while paper documents could be locked in expensive and safety safe, what should one do with electronic documents?
One of the main problems of critical business documentation security in companies is documentation insecurity outside “security perimeter”. Critical electronic documents, tables, presentations, confidential mails can be accessed by only limited scope of authorized persons inside “information security perimeter”. When business documentation or mails are passed to third party it is almost impossible to follow the further flow of this data. On appearing in external environment this information becomes available for unauthorized reading and copying. Violators can easily open and read such files, distribute and use them to discredit your business, intrude into your IT-infrastructure and disable some services; and to perform other illegal actions.
What are the main ways by which business critical information can fall
into adversaries’ hands?
The most common way is the loss of corporate mobile devices or storages containing critical business data. This way is an example of unintentional, accidental, information loss. Research carried out by Kensington company confirms – every 50 seconds in the world one notebook (including corporate ones) is lost. It’s easy to imagine that USB-storages with critical corporate information are lost if not more often, then approximately with the same frequency. These figures began to grow notably after large companies have introduced BYOD (Bring Your Own Device) policy, when company’s employees are permitted to use their private computers as corporate devices. InfoWatch company dealing with information security tells in its analytic review that the trend of using private mobile computers as corporate ones will just grow in worldwide practice. This fact even now requires changing approach to security of data located on these computers. Material expenditures related to corporate information loss amounted to $37.8 billion in 2012 according only to incidents published in public sources. Perhaps this figure could be far less if information on the lost devices were protected with up-to-date encryption algorithms and methods. Electronic mails accidently sent to outsider owing to trivial misprint in e-mail address may also refer to unintentional way of data loss. However, if the letter was not properly protected and contained critical attachments or sensitive data were placed just in message body, then it will be almost impossible to change anything.
The second way of business information loss directly refers to human factor. And nowadays it tends to continuous increase. Losses of information saved on corporate devices and data storages are generally accidental. However, for recent two years data loss related to intentional actions of motivated employees has been increasing. In 2012 a part of intentional forwarding sensitive business data amounted to 46% of cases against 38% related to unintentional information losses. CISCO company research confirms that in large companies 3-5 persons from each 100 ones are insiders ready to forward sensitive business information to competitive companies or to adversaries. Employees can be motivated in different ways but it requires great financial and other expenditures. These expenditures can be avoided by applying various methods of social engineering. For instance, an adversary can introduce himself as an auditor of information security, system administrator or other authorized person and ask to forward sensitive data directly to him. Ways of forward can be different. Leading ways are e-mail and different web-channels of information distribution. With a rise of social networks popularity this web-channel has become irreplaceable for forwarding sensitive data to adversaries. Access to social networks control is more difficult than it seems, because employees can use their own mobile devices for this access. To prevent this way of data leakage it makes sense to protect not only storage devices but documents themselves so that adversaries could not use them even after receiving them.
Is there any possibility to protect sensitive business data from their using by third party in case of its unintentional or intentional loss?