20 ways to lose your database.

Author:Pollard, Tim

Arguably an organisations' most vital asset is its databases, often containing sensitive financial information, customer and employee data and intellectual property.

There have been many articles written that examine the risks posed of data being exposed and the potential damage caused. External threats have long been recognised, with billions of pounds spent strengthening defences to mitigate against them - yet there is little acknowledgement of the very real threat from within.

The statement 'don't leave your valuables on show' is a simple principle so why is it often ignored by Corporate UK?

It has been proven to be relatively easy to bribe someone on the inside - or even plant a rogue employee in the organisation - to gain access to sensitive data--but even if we leave this well-documented risk aside, how often has someone left your organisation taking company stationary with them? Do you know what else has been taken? Could they have sneaked out with sensitive material? What about a copy of the entire corporate database? Would you even know if they had?

Below, I've identified the most common techniques individuals will employ to copy sensitive data:

Legitimate access, yet inappropriate use

Let's be realistic, employees need to have access to corporate data in the normal course of their duties. Increasingly today, this need is 24 hours a day - 7 days a week and is not restricted to within the corporate walls or to company owned devices.

It is this need that is opening up one of the biggest and growing weak points for Corporate UK as data is seeping out via unprotected end-points, a significant number of which the company is unaware exist, or they are simply outside the company's domain, such as private USB sticks, iPods and a complete generation of smartphones such as iPhones, BlackBerries and Android mobiles.

To illustrate, an employee in sales may need to legitimately access customer records whilst on or off site and during a normal day may do so up to 100 times.

Another employee in R&D may need access to the secret formula for a product that's in development, whilst another employee in the marketing department may need to access the marketing plans for this new product's launch and email them to the various agencies tasked with delivering the plan. However, there is no viable reason for all of these different employees and departments to be able to access all of this information in the same way, and do the same things with it. In many instances...

To continue reading