Small Business Defense – Document Leakage

If my last post raised any questions for you, this post will hopefully answer some of them.  As with many security topics, the issue is complex and this post will NOT give you all the answers.  Hopefully, though, it will help.

The first thing to look at is access.  In order for an attacker to get your data, they have to get on your network and somehow access the documents.  The more places that you keep your documents, the easier this is for an attacker to do.  If you put all your documents in a single place and prevent anyone from saving them anywhere else, you’ll be a bit better off.  (Odds are you won’t be able to keep them off your network, just so you know.)

However, this will also make a nice place for an attacker to target, so you should control this storage location.  At a minimum, you should control access to the document repository by username and password.  If you can, it would be good to split up access levels within the repository so that the documents are grouped by type and only people with the business need to access those documents have the ability to do so.

Do not rely on the built-in password protection of the documents themselves. They can be broken.  (Also, please note, running random software off the Internet is unwise.  It may not work, it may do things other than what you expect, it may give an attacker the very files you are trying to protect.)

If you are somewhat technical or have a technical consultant helping you, you may want to implement an encryption mechanism to protect your documents.  This is highly complex and hard to do right, but it can help more than almost anything else you can do.

Once your documents are all in one place and reasonably protected, stop and think about what to do if someone does access and misuse the document.  Are all of your sensitive documents clearly marked?  Are you certain that the law will protect you if they’re not?  (Sometimes it doesn’t.)  Would marking the documents as “sensitive”, “secret” or “proprietary” just give attackers something to search for?

Hmm, what an interesting problem.

What many companies choose to do is to classify information based on it’s security level. There are different ways to do this, but all of them start with the question “what’s the most important and/or damaging information?”  Once you can group your documents by risk, you stand a chance of protecting them.  Then you can write a document classification policy and start looking at tools to implement it technologically.  These steps are beyond the scope of this post, but your legal and technological contacts can help you with that.

Lastly, I should mention that the easiest data to protect is data that isn’t there anymore.  You might want to read Brett Trout’s post on document retention policies.