Sneakernet to Snowden: The dramatic evolution of file leaks

This article was originally published on Technology.Info.
As part of our continuing strategy for growth, ITProPortal has joined forces with Technology.Info to help us bring you the very best coverage we possibly can.

office

File leaks and data breaches are not new. However, the industry assigns these IT security issues with new, catchy phrases every few years. Those of us who have been in the security industry might recall 'Sneakernet' in the 1990s and early 2000s, during which employees used floppy disks and flash drives to steal company information. In those days, it was relatively easy to save a copy of the data to that medium and remove it from the enterprise. In fact, the term 'Sneakernet' came from how one employee used his sneaker to transfer data between computers, rather than using the Internet.

Fast forward to today, and although the fundamental part of removing data is the same, the methods to do so have drastically changed. The overarching difference is the hyper connectivity of more users who can access the data, more bandwidth to transfer it quickly, and faster devices to process it. Simply put, a floppy disk in the 1990s could only hold approximately 256KB of data, compared to the external hard drive of today that can handle upwards of 1TB. So, what can enterprises do today to protect their data, yet allow employees to access it from any device and any location?

Mobility drives the workforce

Nowadays, most employees can literally work from anywhere that has an Internet connection. The beauty of today’s IT infrastructure is that employees can work from any device – tablets, phone, laptop – in any location and be just as productive as they are in the physical office. However, the mobility aspect of the workforce opens up the enterprise to potential security concerns, including data leaks.

A borderless office might be par for the course in the enterprise landscape today, but connecting to a company’s centralised assets and information still proves risky. Employees must connect to company servers via the Internet (sometimes in a VPN environment), or ask colleagues to email documents to them. In both cases, the mobile employee poses a huge risk to the company if he is handling sensitive documents like earnings reports, deal books, contracts or even memos with private, need-to-know information. As soon as a file leaves the safety of a firewall and ends up on an employee’s mobile device, it is outside the protection of the enterprise and in sole control of the employee, who can use it as he or she wishes.

Most employees probably do not mean to leak information. However, there are high-profile examples of employees doing exactly that, such as a recent

data breach by a former IBM employee

. More commonly, sensitive information is leaked when an employee’s smartphone, iPad or laptop is stolen. In both scenarios, firewalls and mobile device management (MDM) are not always enough to stop information from falling into the wrong hands.

Once an employee has mobile access to information, simply losing his iPhone on the train could have serious implications for the health of his company. Regardless of company policy or the type of device – bring your own device (BYOD), corporate owned personally enabled (COPE), or a company owned and managed device – if employees have access to sensitive files via mobile devices, it can lead to trouble very quickly. When an employee does have nefarious intentions with his company’s sensitive information in mind, then the issue with mobility is even more compounded, especially as devices become more and more advanced. Ten years ago, it was unlikely you could hold 100 contacts in your phone, whereas today, smartphones and tablets have memory enough to contain extremely large files, including intellectual property (IP) like manufacturing documents, customers’ personally identifiable information (PII) like health records, or even complex spreadsheets used for securities trading.

Dropbox syndrome: the problem with cloud

Another critical component of the new Sneakernet is the emergence of the cloud, and cloud-based data storage. In the enterprise, what we have seen happen recently is described by IT professionals as '

DropBox Syndrome

',where employees are demanding access to any company material from any device, anywhere. To carry this out, they are turning to free applications to store sensitive data that they can access from an offsite location. These services provide a large amount of free storage (such as Google Drive, which offers users 15GB by default) and are not only easy to sign up for but are also easy to use.

Despite the ease-of-use and collaboration features that these consumer-grade cloud storage services provide, they seriously lack the security and compliance required in many enterprises. Most services lack basic encryption of data. There are no 'box-like' cloud solutions that provide file-level protection, which is necessary to monitor, track and remotely wipe data when necessary. This lack of functionality from services like Dropbox, Google Drive and SkyDrive leaves information vulnerable.

Although the risks of consumer services are actually relatively well-known, most IT professionals don’t know who is using these services nor how prevalently.

The latest research about mobile and cloud data protection

of the Ponemon Institute reveals that more than 80 per cent of IT professionals do not know how much of their organisation's regulated data is stored on cloud file-sharing services or mobile devices – creating significant risk and compliance issues. Most organisations also had weak controls in place to protect regulated data on mobile devices, with 73 per cent relying on manual policies and few using mobile device management (12 per cent), mobile digital rights management (six per cent) or mobile application management (four per cent) tools.

edward snowden

How can you stop the 'sneakers'?

The similarities between the Sneakernet of yesteryear and today are mostly in the agenda behind sneaking information. Employees leak sensitive data outside of the organisation’s control for three reasons:

1. Malice: Edward Snowdens, irate employees

2. Self-interest: Selling information such as IP or other assets, which can relate to disgruntled employees if there is a financial incentive to share information outside the company

3. Accident: Sending information to the wrong email, such as

what happened with the SFO

, or having a company laptop stolen, as happened in the 4 million-file

Advocate Medical Group breach

What is different between the 1990s/2000s Sneakernet and that of today are the technologies used to let the data breaches happen – i.e. mobile, cloud, more prolific Internet use, and bigger and better storage and computing power.

Unlike before, when finding leaked files could prove seriously difficult, technologies have evolved today to confront this issue head-on.

A file-centric security approach is the most proactive way for an organisation to address enterprise collaboration and productivity issues. It is a strategy that firms can use to maximise employee productivity from mobile devices while minimising the risk of data breaches and leaks, and to give workers the means to work in the borderless office, yet maintain the integrity of proprietary company information. The best solutions provide employees with seamless interoperability with their devices: iPhones, iPads, PCs, Macs and Androids. Additionally, these systems will let employees view, edit, annotate and share with their colleagues from anywhere, while also giving system administrators the controls to determine how a file is accessed (the ability to restrict copy and pasting, for instance) and who can access it. More importantly, the enterprise retains the ability to remotely wipe data in the event the employee’s device is lost or stolen, or the employee is fired.

Image credit: Flickr: (

Victor1558

)

Topics