7

How can I prevent data theft from a company?

Are there any solutions to this problem?

Is there any software that encrypts important data (.doc, .xls, etc.) and prevents it from copying?

I need a solution where employees can read/write documents but can not copy then to a USB drive or e-mail them.

Gaff
  • 18,569
  • 15
  • 57
  • 68
Etam
  • 167
  • 1
  • 4
  • Disable usb mounting and email port (or remove the client entirely). People could still remember what they have seen and copy some information in that way. You would probably be better off including confidentiality clauses in contracts and highlight data protection act rules. – James Jan 26 '11 at 13:58
  • 14
    Worth mentioning.: http://i.imgur.com/x9yUt.jpg – u1686_grawity Jan 26 '11 at 14:08
  • 3
    If the government cannot keep classified information from being released, I don't think a company can do any better. No matter what technical measures are in place, the weak spot is always the people. – KeithB Jan 26 '11 at 16:34
  • 1
    Impossible task, all you can do is reduce the chance of it happening...http://krebsonsecurity.com/2011/01/ready-for-cyberwar/ – Moab Jan 26 '11 at 17:05
  • @grawity: Easily solved by prohibiting camera phones, laptops with built-in cameras, and digital cameras in the building. Not that practical (anymore), but some do this. – Daniel Beck Jan 26 '11 at 17:22
  • If data is short and very sensitive, it's a bit hard to avoid leaking. You can inform the empoyees about the company's storage-and-retention policy, how it is a preventive measure against subpoenas, why it is never to be stored elsewhere etc. If your data is too big so that a screenshot is no big deal, e.g. computer program, you can do like google: no storage devices, no local copies of the files... everything done remotely. You can also do mail quarantine, have attachements forbidden as a general rule, disable CD/USB, but yet either you trust staff or it's out of your hands. – user39559 Jan 28 '11 at 00:12
  • @Daniel this is a place I would not like to work. Doomed to have employees coming and leaving which I think is worse from a security point of view. – NothingsImpossible Dec 26 '13 at 08:03

6 Answers6

11

the only solution that works: happy employees and trust.

the other stuff you have in mind is the same as DRM (digital rights management) and that is doomed to fail.

if your employees have to work on a file then they can copy the content.

akira
  • 61,009
  • 17
  • 135
  • 165
  • 2
    Pretty much this. Trust is almost all you can have. You can limit using USB sticks with Lumension (as i mentioned in my post in the comments). But for E-Mails you can pretty much do nothing. – sinni800 Jan 26 '11 at 14:20
  • Don't forget they can also take a photo of the screen or print a screen capture as well. @sinni800: Emails you can do a lot: don't give them access to an email client, block the port at the firewall, or don't give them access to the internet at all from their desk, for instance. But @akira is right; there are ways around almost everything except happy employees. – Ken White Jan 26 '11 at 14:24
  • +1 from me: It's as simple as "you can't get there from here." There's also the "security is a process" epithet. – afrazier Jan 26 '11 at 14:25
  • @KenWhite: Sure, but very often, company employees NEED email access. Also I know that you could also easily embed text into a picture. You can also not allow USB Sticks at all and control printing. Though it all comes down to that you need trust. – sinni800 Jan 26 '11 at 14:34
  • 1
    You left out educated. Most hacks come from social engineering. – Keltari Apr 29 '13 at 05:52
5

The problem of data loss prevention (DLP) is one of the most difficult to solve in information security. As we saw with the Wikileaks After-Action Report disclosure, even organizations with a strong will for security, non-disclosure agreements, a non-Internet-connected network, and employees with security clearances have unauthorized disclosures.

I mention that to make the point that this is a battle, one you're not likely to win 100%. That being said, here are some steps you can take.

First and foremost, follow the principle of least privilege. If HR doesn't need access to your manufacturing data, don't give it to them. Only allow as much access as is necessary for that person/group to get their job done. There is expensive software that can scan all outoging Internet traffic at a company, including SSL. You can disable USB disk drives by disabling the USB Mass Storage Class driver in your operating systems (there is a free way to do this using Windows Active Directory). You can install outgoing email quarrantine software. You can disable CD writers.

You mention encryption. That is a good idea for general DLP, but not for the specific threat you present. Encryption does not prevent copying by people authorized to view the information. Even if you did encrypt the data in your important files, which you classify as .doc or .xls, nothing stops them from exporting the data in another format like .odt. Plus, if someone can view the file, nothing stops them from taking a screenshot or using their cameraphone to take a picture of the data.

The best bet in a small company is to follow the principle of least privilege, take inexpensive steps to prevent USB leakage, create loyalty in your employees, maintain good morale, and have a strong non-disclosure agreement signed by everyone in the company.

Cliff
  • 159
  • 5
1

Etam: This problem has existed for ages -- ever since guilds were invented in Europe. The modern solution is to write an Employee Handbook, know it well, and ask the employees to sign-off that they have read it. Intellectual property and security should just be one chapter in the handbook.

You will find that a) the Handbook limits bad behavior in a plethora of areas; and b) the handbook can be a useful tool to measure the overall quality/compliance of an employee's work.

As one of the commentators mentioned, building trust is also essential. Trust comes from 1) knowing the kind of people you hire; 2) fully explaining to them the expectations of the job (and not just entirely making it up as you go). Think of the Employee Handbook as the list of 12-20 rules that appear at most public pools (at least here in the U.S.). It will contribute greatly to the order of your office, without resorting to a bunch of yelling and tears.

Oh, and if it comes down to one bad apple, I recommend you secure competent legal advice and sue anyone who breaches your security under contract law and applicable intellectual property statutes. Speak softly and carry a big stick.

Rolnik
  • 1,677
  • 2
  • 16
  • 28
0

Word and Excel can do this themselves. Hit the big office button (2007), "Prepare and encrypt". There it is.

For other files: Either use 7-Zip with encryption or use GnuPG, link leads to a Windows build for GnuPG. This is initially a German site, so if it is German for you, click "english" at the top right.

sinni800
  • 3,150
  • 3
  • 23
  • 36
  • I need a solution that employees can read/write documents but can not copy to USB drive or e-mail them. – Etam Jan 26 '11 at 13:36
  • take the mouse, mark the text .. open outlook, right click and press "insert".. there goes your encryption. – akira Jan 26 '11 at 14:04
  • @Etam Oh sorry, I didn't realize you meant to block users from sending or putting stuff on USB sticks. But try "Lumension Endpoint Security" for the USB Stick thing. It allows you to prevent files other than specified file formats to be put on a USB stick. For the E-Mail thing... You can't do anything pretty much, except for going all out and indexing every document, reading every email programmatically :)... But that would be bogus, I think. – sinni800 Jan 26 '11 at 14:18
0

There is a GPO for Windows Server that disables USB storage devices on client machines. Along with allowing outgoing email to only specified contacts, you can make things at least a lot more difficult.

paradroid
  • 22,761
  • 10
  • 76
  • 114
0

If your employees can read/write the documents, then they can cut'n'paste. To email for example.

There are solutions to prevent cut'n'paste for read-only documents. Never heard of such solution for writable document. Nor would it make much sense.

vartec
  • 752
  • 1
  • 5
  • 15