In this blog post, Abhijeet Anand, Technical Sales Support Engineer,  Schlumberger, and a student pursuing a Diploma in Entrepreneurship Administration and Business Laws by NUJS, lists and describes the steps that companies can take to avoid data theft. 

 

With the boom of the  IT industry and virtual technology, the technology for hacking and data theft has increased proportionately as well. Data theft, put in context, is the unauthorized copying or removal of confidential or personal information from a business or other large enterprise. As a matter of fact, the theft of trade secrets and customer information cost companies an average of $2 million every year, according to research conducted by security software maker Symantec Corp. This is the largest data theft that has occurred in history, where:

• Two billion internet profiles (usernames and passwords) have been compromised.
• More than 420,000 websites have been affected.
• Well, renowned international, national, as well as small companies, have been impacted.

When compared to data loss, data theft is a more extensive threat as it’s clearly malicious, and statistics suggest through this intuitive theory that data which is stolen is 12 times more likely to be used in fraud than data simply lost. This article will help understand data theft, in brief, whether the actual enemy is involved in the system or outside, suggest preventive steps, and later advice for legal support.

 

What kind of data theft?

Before reaching the conclusion to prevent or mitigate data theft, it is necessary to evaluate the kind of data theft you need to work on. There are broadly two types of data theft that companies or businesses encounter: identity (ID) data theft (the theft of customer records) and the theft of a company’s business strategy or proprietary information or intellectual property.

ID or identity data theft: ID-related data theft occurs when the customer records or data are stolen or illegally copied. The information stolen typically includes customers’ names, contact details, addresses, usernames, passwords, and PINS, account and credit card numbers. This is a serious breach of personal details of the customers and at worse affects the overall business of the organization especially in IT and banking industry. A single data theft from a company or organization can affect a large number of individual victims.

Non-ID data theft: This type of data theft relates to any compromise other than customer records. This occurs when the company’s confidential or proprietary information, intellectual property is stolen or copied and passed on to the benefit of competitors and loss to the business or company. A company’s confidential information includes its financial reports, marketing plans, and contracts with other firms, employee records, and new product specifications and so on.

 

Who is the actual enemy?

After identifying the type of data theft, it is necessary to ascertain the people who may have indulged in this malicious activity. Broadly the perpetrators of data theft can be divided into three groups:

• Internal employees (company staff)
• External competitors or hackers
• Contractors or temporary employment employees who move in and out of the company

Interestingly, the latter, i.e., the breach from contractors seldom happens (which may show that they are more honest than the average employee, or don’t know to steal the data or, just don’t get caught or maybe they are not aware of the same at all). Either way, contractors can be treated as being internal or external, from a network perspective. Equally, internal employees could use the knowledge of the network to attack the system externally.

• Internal Network or employees: A full-time employee has access to network and server files or folders, knows to enter the system and can liaise with multi-department people to carry on the malicious activity. They do not have to defeat passcodes, breach database security system or go through firewalls. All the data is available to them and can be taken out from the network through a variety of different methods including, email, USB or printing.
• External Network Attacks or hackers: The Company’s database security if not secured well from external threats is vulnerable for hackers to enter into the system and get the requisite details. This has been a very common incident repeatedly reported worldwide. They have to take a much harder route, but it is frequently done by identifying a weak link in the security or liaison with an internal employee.

 

Preventing the vulnerability of data to thieves

Having identified the type and enemy which may be involved in the data theft, it is necessary to build a robust security system to prevent both the internal and external networks to take the data from the company. This can be done by a variety of preventive measures which is discussed briefly as under:

Data Access and Storage: This is a major step to prevent data theft or the threat from the internal network. Only necessary data should be given access to concerned people and should be based on NEED TO KNOW basis.

• Hard copies or paper document: Abolish or primarily lock in safeguards. The paper files should be shredded as soon as they are no longer needed or a server has been created. According to John Rowan of Advantage Business Equipment, the following nine things businesses should shred are:
  • Any mail with a name and address
  • Luggage tags
  • Trip itineraries
  • Extra boarding passes
  • Credit offers
  • Price lists
  • Vendor payment stubs and paid invoices.
  • Cancelled checks
  • Receipts
• Restricted access to sensitive or important data: The data access should be on a “Need to Know” basis and the concerned person should be given access only to that relevant data. This implies that the data should be well segregated and organized with an adequate level of security associated with each of them.
• Segregation and organization of data: Every company or business is different based on its fields or area of operation. It is necessary that the data associated with them is well segregated, and the internal employees can very well do this. The data organization should be well audited and assessed by  hiring an external expert for the external advice.

Technology:

• Encrypt or protect all computers, devices, and systems: The access to a company’s and employees’ devices and computers should be restricted, and necessary encryption with passcodes should be present. This makes it difficult for external networks to intrude into the internal network easily. The system should be protected with restricted user access and enabling remote wipe on all devices.
• Install or enable a firewall: This prevents outsiders from entering into the company network.
• Protect Wireless network in the company premises: Using a strong password with employee authentication and using encryption will prevent any external sources from using the internal Wi-Fi system.
• Restrict of physical movement of information: This necessarily includes the check on the transfer of information from company devices to USB, CD, mobile or any other portable media. This is the most important check that needs to be in place to prevent the threat from the internal network.
• Use of anti-virus software, anti-spyware: This is almost mandatory to any cyber transaction or information storage. The selected anti-virus should be well equipped for dynamic virus identification and handling.

People:

• Authentication and password: A strict guideline in place of the use of strong passwords should be in place and the two-factor employee authentication system in place will make way for proper identification of employees.
• IT and data security policy: This, however, is a mandatory policy of both IT and non-IT related companies nowadays but lacks implementation at several occasions. This needs to be strengthened with adequate measures for breach of the policy and must include clauses for protecting the company’s data both in hard and soft forms.
• Training: This is the most important part of people’s preparation to the threat from external networks on their systems or devices. Regular awareness programs, sample phishing exercises should be conducted to make the employees aware of the threats that they face.
• Social media policies and employee management: The company management should be in line to create and enforce social media policies so that employees are well aware of the importance of data and their role and responsibilities when sharing data with an external network. To achieve this, it is the company’s top management responsibility to enable them to be enacted to the roots of the company and treat the most important asset of the company, i.e., the people well.

 

Mitigation or legal support framework in India

A company or business should be prepared for any potential data breach as they are a simple result of employee negligence or mistake which is very difficult to negate completely. India specifically has been proactive to react to the data theft globally, however,  it does not have a specific legislation in place likes UK’s The Data Protection Act, 1984. India boasts of its Information Technology Act, 2000 to address the over growing cyber-crime, including data theft. In reality, this Act is not well equipped to tackle such extensive situations and does need a new look by the Indian Government to prevent any such malicious activity or attempt.

 

Conclusion

Data theft is one of the most concerning issues for any company or business in the present era and poses the threat of completely washing out businesses as well.  It is very important for any business to identify the type of data threat it can encounter, people that may potentially affect it and take necessary actions to prevent them and in worst cases mitigate with the latest available legal framework.

[divider]

References:

1. http://www.legalserviceindia.com/article/l267-Data-Theft-in-Cyber-Space.html
2. http://www.itbusinessedge.com/
3. https://whereismydata.wordpress.com
4. http://www.businessidtheft.org/