Data Protection

Securing business-sensitive information is one of the principal objectives of IT security. In recent years, the importance of information security has become enormous in the wake of digitalization and mobility and the explosive growth of Internet applications.

Data protection solutions are directly focused on issues concerning the protection of information flows and storage. With technology, the use of sensitive information can be regulated (“data loss prevention”) and made unusable for unauthorized parties (“encryption”). The skill is to implement such measures so that the workability is only impacted to a minimal degree, which is quite possible with the right selection of solutions.

In order to pursue a comprehensive information security policy it is first important to define which data requires protection. Protection from unauthorized parties outside of the organization but also protection against improper access by employees. When the location and nature of this information is known, effective and target-oriented solutions can be applied for its protection.

When it is clear which data needs to be protected, the next step is to recognize threats. When it comes to preventing data leaks, the following challenges present themselves in the general sense:

  • Unauthorized access. When speaking of data protection many people think about preventing data from “winding up on the street,” when in reality a data leak can also mean an instance when a piece of text is read by someone who should not (or not yet) have knowledge of this information. Access to sensitive information must therefore be monitored, which first and foremost requires a thorough authorization structure. But, second, data protection has some common ground with all other forms of security, namely, for keeping unauthorized outsiders from obtaining access to the data. Combatting hackers is therefore just as good a form of information security as data encryption, so information security should not be seen as a part of but rather an objective of IT security.

  • Sending information via the Internet. Network borders are blurring and data are transmitted throughout the entire world. The fact that the suitable Internet protocols such as the web and email are often completely unsafe means that every transmission of corporate information has its risks, but your classified data should never be able to leave your organization in this manner. Often this is set forth in unwritten agreements, but in reality sensitive information is still frequently sent to webmail accounts or storage services, for example. Control of outgoing Internet traffic has become nearly inconceivable.

  • Loss of mobile devices (laptops/tablets/etc.). Mobile devices often contain information that must not fall into the wrong hands. This also applies to tablets. It is therefore important to secure data on such devices in the event of loss. Securing is done by means of encryption and can be implemented on any type of device nowadays. Without knowing the key, a thief or other unauthorized party cannot read the data on a system. Good encryption technologies can also not be cracked, which, of course, is of essential importance. A well-thought-out choice of technology is therefore important.

  • Loss of removable storage. The words “data leak” almost immediately conjure up two other words: “USB stick.” It comes as no surprise that of all the sensitive information that has reached the media to date, the majority was due to a lost USB stick. Unsecured USB sticks should therefore not be allowed in a corporate setting, or it should be possible to prevent sending certain types of information to it. Making use of USB sticks entirely impossible is likely taking it too far for most companies; after all, it is a very efficient way of data transfer. The solution is to use secure USB sticks while simultaneously blocking unsafe USB sticks.

  • Storage at/copying to unauthorized locations. If certain types of sensitive information are always at one location, then it is undesirable for manageability reasons for this data to be moved to a different location for whatever reason. This location may again be a USB stick, which might only be permitted if the USB stick is secure, for example. But copying to other locations is likely also undesirable and will have to be regulated.

  • Printing. As stated above, USB sticks are the first to pop to mind when thinking about data leaks, but printing out information can be just as dangerous. After a document has been printed out, it can no longer be monitored. And then there is a chance that the document will be left somewhere, such as on the train. This poses just as much – or even more – risk as losing a USB stick, so regulation of printing should also be part of a security policy.

Protection can also be established by means of regulation, for example of USB use or monitoring data flows in email and web traffic. By implementing a structured approach for data protection, critical information can be proactively protected.