Simple Ideas For Protecting Against Data Leakage
On the last (ISC)2 ThinkT@nk Roundtable webcast (link to the archive is below), I had the good fortune to moderate a very interesting panel about low tech methods for securing your data. Our panelists ranged from the academic to the pragmatist.
- Dr. Hugh Thompson, Chief Security Strategist of People Security
- Chris Trautwein, Information Security Officer at (ISC)2
- Joe Sechman, Director of Sunera‘s Attack & Penetration Testing Practice
What I found most exciting about the event was the sheer number of ideas being offered by the audience members. While I usually have little trouble keeping up with audience questions during these types of events, we had over 400 people in attendance and the ideas were coming at me so fast that we ran out time before getting to all of them. I want to take a minute to share more of what was going on “behind the scenes” and see if this sort of recap is useful to you. Let’s keep the discussion going. Just add your own ideas and thoughts on the roundtable in the comments section below.
- Being a supporter of the (ISC)2 Security Leadership Program, and the sponsor of this event, it was no surprise that 3M’s privacy filters were discussed as a means of guarding against “shoulder surfing”. These filters are now available for just about every mobile device on the market now and seem like a good starting point.
- Within just a few minutes of the call, Robert Curee from Rite-Solutions, Inc. brought up another obvious choice: laptop cable locks. I can’t even count the number of times someone at a coffee shop has asked me to keep an eye on their new MacBook while they scurried off to the bathroom. This just seems like a no-brainer for the mobile worker.
- Martin Linda, from Siemens, then quickly added that they issue laptop bags that don’t look so much like laptop bags. Being able to hide the fact that you are even carrying a mobile device, makes you less likely to be targeted. He went on to add that at Siemens, they issue backpacks and other alternatives to traditional laptop bags with each new laptop going out.
- Just a couple of minutes later, Jospeh Valinotti of Valador piped up that he encourages larger bags for travelers so that they put their personal affects in with their laptops. His theory being that this helps raise awareness because the user is also thinking about their own “stuff”, not just company assets.
- In a spark of creativity, David Nelson from the FDIC started attaching a small cat bell to his own laptop bag. This simple idea let’s him know when his bag is being tampered with, even when out of sight such as when going through airport security.
These first few items seem like an easy way to mitigate data theft, but the questions soon shifted toward how to implement these and other controls. Here are some of the key items we captured on the discussion.
- For physical security controls, such as cable locks and laptop bags, integrate with the purchasing department to ensure that every new mobile device getting released to the field comes with these basic protections.
- Train your users on the proper use of these tools and direct them to your company policy regarding their responsibility for protecting company assets, both physical and ephemeral.
- Not only should you reach out to purchasing, but while we were on the topic of policies, Larry Chu from RS Investments reminded us of the need to include HR in the policy making decision. Especially if you use language around penalties the user could face, such as termination.
- While we are on the topic of HR enforcement of policies, Petr McAllister mentioned a policy of “lose your laptop, lose your job” that he recalled from the CSO of Visa who imparted these words of wisdom at RSA back in 2007 or 2008 (if anyone has a link to the presentation, please send it along).
Keep the ideas coming, we had a great discussion and some of the comments on the live were very encouraging.
Very interesting discussion with a variety of relevant viewpoints
Learned a lot of new ideas to help me in preventing mobile data breaches.
Good presentation. Covered a wide range of issues and potential solutions.
Jam-packed with practical real-world tips, this was an excellent presentation!
In case you wanted to watch it again, or pass it along to your colleagues, the archived event is below.