It seems ages ago that companies were first warned about the danger of confidential information being found in trash bags in front of the office, yet despite the use of shredders and complex security systems, data still manages to leak out the old fashioned way.
“Traditional security threats to paper documents are still a very real problem for offices of all sizes. Paper documents need to be incorporated into security policies in the same way as networks and servers. Whether it’s information being accidentally left on the output tray or improperly disposed of, the threat of hardcopy documents being leaked has not disappeared,” according to Quentyn Taylor, Director of Information Security, Canon EMEA.
Jayson Street, Senior Partner at Krypton Security says: “Organizations still fail to consider the confidential data found on paper from printers and from faxes, documents left on employees’ desks, and the infamous paper that’s never picked up from the printer or just discarded in a regular trash can. I’ve even seen network diagrams mapping out the entire network, showing where the critical servers were and the paths to them, tacked up on the network departments cubicle.”
Taylor adds: “In the age of cyber security, digital data leaks and anti-virus software, it’s easy to forget that paper-based leaks still account for over half of the data breaches (according to the ICO in the UK).”
Large organizations have a myriad of policies yet they still continuously suffer what looks like easily preventable data leakage. Street comments: “We have policies in place for data destruction, monitoring of visitors or being suspicious of emails. The problem is, no matter how good your policies are, if you don’t properly train and educate your employees to live by them, you’re going to be doomed for failure.”
What about security awareness? We keep hearing it doesn’t work. Street replies: “I don’t care how big you are in the industry and make statements that security awareness doesn’t work – you are wrong! Security training is difficult and just like trying to secure your network environment, just because its difficult doesn’t mean its not worth it. We have to go about changing the way we do security awareness training, not giving up on the user as it relates to security awareness is the best option.”
However, experience has shown that the main problem are not the employees positioned low on the corporate ladder, but often the executives. Street agrees: “They are the ones with the most unrestricted access, and they are the ones who think that the rules don’t apply to them. Until you get upper management to buy into the security process and live by the policies that are in place for all users, you cant expect the users under them to live by the rules as well.”
A great number of older scanners and multifunction devices (MFDs) keep copies of documents that were scanned/copied and organizations don’t even realize it. Some of those are available on the network and have default passwords enabled and they can pose a significant threat.
Taylor comments: “MFDs contain hard drives that contain potentially sensitive data that is at risk if not secured appropriately. The solution is to treat the MFD’s hard drive in the same way as all other networked devices, many MFDs now contain removable hard drives so they can be stored securely when needed. It’s also important to dispose of MFDs securely through an appropriate program to avoid information falling into the wrong hands.”
While a great portion of the industry has been emphasizing the external threat for a long time, it’s clear that the insider (malicious or unintentional) can do a lot of damage simply by ignoring the rules. A company should take a detailed look at its data flow and conduct risk assessments on a regular basis.
“The IT security team should use regular users credentials with default access to surf the network and look through shares, see what they can see. Don’t look at what an attacker can do, look what what an end user can do to the network,” according to Street.
Taylor adds: “For most organizations, the tools to prevent leaks are available, but it’s vital that IT managers / CSOs take a holistic view of the company’s information and classify data appropriately.”
So, how secure is your confidential data?