|
"Being aware of your employees is just as important as your security equipment"
 The problem
These days there are
very few companies that do not have mobile workers or employees working
from home. Despite the countless advantages the likes of notebooks, PDAs
and USB sticks provide, mobile IT equipment can pose a serious security
risk.
Stahl, a multinational organisation based in Waalwijk, The
Netherlands, has over 40% of its 1,400 employees regularly working from
home or via a modem. Therefore, risks to data security are no longer
limited to external threats; new risks arise from a company's own
employees.
Stahl's Global IT Security Officer, John Verkooijen
believes there is a complete lack of awareness on how much of a threat a
company’s own employees are to an organisation. Verkooijen has expressed
that these days a company must do much more to protect its valuable assets
and data.
“Besides the big lock on our front door, we are now
putting locks on the back and side doors for added
security."
Stahl Holdings offers an extensive range of services
and products in the field of leather-working, coating of flexible and
inflexible materials, including shoe leather and footballs, and treating of
textile products and leather upholstery for the automotive industry. The
head office in Waalwijk, manages almost 1,000 laptops and desktops spread
over nine production sites and 26 technical laboratories in 28 countries.
Data security plays a big part in this.
"As with any company, we
wouldn't like to see our financial information, confidential data or
business strategy in the public domain," continues Verkooijen.
"But what we must absolutely protect is our intellectual property,
information such as the formulas for our products and associated patented
data."
Many employees at Stahl consider mobile storage systems
and laptops indispensable for their work. These people may include the
sales staff who travel around the world, who depend on the information,
such as customer histories, stored on their laptop or USB stick;
technicians who work outside Stahl's own premises, and employees who
regularly work from home. This leads to conflicting interests: on the one
hand, the need for functional data, and on the other hand, the risk
involved in allowing mobile equipment to leave the building. USB sticks in
particular require extra care.
A Simple Trick
For some time now, virus scanners and firewalls have
been protecting Stahl's data from outside threats, such as competitors or
hackers. However Stahl's own employees are a greater threat. "Experts
estimate that some eighty percent of the IT security risk comes from within
an organisation," explains Verkooijen. This might be a dissatisfied
employee who wants to get back at the boss, or people who have been fired
and smuggle sensitive company data out of the office on their last day.
"With a USB stick, that's a piece of cake." It was these USB
sticks that persuaded Verkooijen to purchase extra security
software.
"We saw an enormous increase in the use of USB sticks
among our employees," explains Verkooijen. "Other mobile
equipment, such as PDA’s and laptops, are also being used more and more
frequently. The spectacular increase in the use of USB sticks within Stahl
was a new risk that we had to contain. Specifically, it was the increasing
capacity of the sticks, the ease and speed with which data could be copied
onto them, and the associated risks that made us go looking for software
that could protect our data from our own employees." By this,
Verkooijen does not mean to say that Stahl's employees deliberately steal
company data. "We want to protect ourselves against the risk in any
case. It isn't just the employee with a grudge, it's also the ones who are
unaware and walk out of the company with sensitive data, breaking company
rules about data protection. It's the combination of lack of awareness
among employees and the easy availability of data that constitutes the main
risk. To keep one step ahead, we’ve decided to implement preventive
solutions."
ISO
Stahl regularly
conducts risk analyses in connection with the company data. These are based
on the ISO norms for information security (ISO 27001). An inventory is made
of the various ways information can leave the premises, such as through
telephone conversations, in written correspondence or through storage
systems like memory sticks. It is a matter of constantly looking to see
where the risks lie and what measures can be taken to limit
them.
Firewalls offer protection from outside threats, but other
measures are needed to address the risks from inside the company.
"Measures regarding e-mail are easier to devise than measures to
contain the risks of memory sticks," explains Verkooijen. "If
someone sends large quantities of company data outside the organisation via
e-mail that can be traced. This is harder to do with USB sticks. Many
employees can put large quantities of data on a USB stick quickly and walk
out of the offices with it unnoticed. This is why we selected SmartLine's
DeviceLock software, which monitors the use of USB
sticks."
"Quite apart from the fact that the software makes
it a lot more difficult to simply steal or use data, it also makes the
employees much more aware," according to Verkooijen. "And that's
important. Technology alone isn't enough. To achieve optimal security you
also have to know why the technology is being used."
Following
an evaluation of various suppliers, Stahl finally chose SmartLine's
DeviceLock®. "One of DeviceLock's advantages is that you can integrate
it with the Active Directory. This makes it possible to manage everything
from one point. Verifiability and flexibility also played a part in our
final decision."
Groups
Stahl will be
using DeviceLock® extensively. Ultimately some 1,000 computers and laptops
will have the program installed. DeviceLock® ensures that users cannot
simply download data from the network and copy it to USB sticks, laptops
and other mobile equipment. Stahl operates an internally developed system
for granting authorisations. Employees are assigned to groups and,
depending on the group, they may or may not be allowed to read or read and
write on removable discs. Those who are not a member of a group are
automatically denied all access. Ultimately approval must be given on three
levels, on the basis of a workflow model. It is only when the employee's
own manager, the local IT coordinator and the 'object owner' (which can be
a shared file, an application or a group) have given their permission that
the employee is assigned to a group and granted access to the active
directory environment.
DeviceLock® supports this 'group policy'.
Everything was installed and made operational during the month of June.
According to Verkooijen this is the security method of the future.
"Employees, and the work itself, demand more and more functionality,
which generally comes at the expense of security. Conversely, excessively
stringent security means less functionality and a loss of efficiency and
productivity. You have to weigh up one against the other: what risks do I
want to take measures against, and what risks will I accept? Technology can
help to find a middle path. A program like DeviceLock, in combination with
the authorisation policy in groups and in the workflow, determines who’s
allowed to carry data on a USB stick, for example, and who isn't. There's
also an extra way of checking up on who takes what home with them. I think
we're heading more and more towards portal-type security
systems."
According to Verkooijen, IT security is more than
just a technical application. Raising employees' awareness is at least as
important. He uses the term 'integral security.'
"This is
security throughout the whole company. It can also be seen in the
regulations governing company data that every Stahl employee has to sign.
This is a shared responsibility of the Human Resources and IT departments.
Making employees aware of security risks, and keeping them aware, is
essential."
Download a free trial copy and try DeviceLock® now!
|
Products
Contact Us
DeviceLock®
Description
