"Being aware of your employees is just as important as your security equipment"
These days there are very few companies that do not have mobile workers or employees working from home. Despite the countless advantages the likes of notebooks, PDAs and USB sticks provide, mobile IT equipment can pose a serious security risk.
Stahl, a multinational organisation based in Waalwijk, The Netherlands, has over 40% of its 1,400 employees regularly working from home or via a modem. Therefore, risks to data security are no longer limited to external threats; new risks arise from a company's own employees.
Stahl's Global IT Security Officer, John Verkooijen believes there is a complete lack of awareness on how much of a threat a company’s own employees are to an organisation. Verkooijen has expressed that these days a company must do much more to protect its valuable assets and data.
“Besides the big lock on our front door, we are now putting locks on the back and side doors for added security."
Stahl Holdings offers an extensive range of services and products in the field of leather-working, coating of flexible and inflexible materials, including shoe leather and footballs, and treating of textile products and leather upholstery for the automotive industry. The head office in Waalwijk, manages almost 1,000 laptops and desktops spread over nine production sites and 26 technical laboratories in 28 countries. Data security plays a big part in this.
"As with any company, we wouldn't like to see our financial information, confidential data or business strategy in the public domain," continues Verkooijen. "But what we must absolutely protect is our intellectual property, information such as the formulas for our products and associated patented data."
Many employees at Stahl consider mobile storage systems and laptops indispensable for their work. These people may include the sales staff who travel around the world, who depend on the information, such as customer histories, stored on their laptop or USB stick; technicians who work outside Stahl's own premises, and employees who regularly work from home. This leads to conflicting interests: on the one hand, the need for functional data, and on the other hand, the risk involved in allowing mobile equipment to leave the building. USB sticks in particular require extra care.
A Simple Trick
For some time now, virus scanners and firewalls have been protecting Stahl's data from outside threats, such as competitors or hackers. However Stahl's own employees are a greater threat. "Experts estimate that some eighty percent of the IT security risk comes from within an organisation," explains Verkooijen. This might be a dissatisfied employee who wants to get back at the boss, or people who have been fired and smuggle sensitive company data out of the office on their last day. "With a USB stick, that's a piece of cake." It was these USB sticks that persuaded Verkooijen to purchase extra security software.
"We saw an enormous increase in the use of USB sticks among our employees," explains Verkooijen. "Other mobile equipment, such as PDA’s and laptops, are also being used more and more frequently. The spectacular increase in the use of USB sticks within Stahl was a new risk that we had to contain. Specifically, it was the increasing capacity of the sticks, the ease and speed with which data could be copied onto them, and the associated risks that made us go looking for software that could protect our data from our own employees." By this, Verkooijen does not mean to say that Stahl's employees deliberately steal company data. "We want to protect ourselves against the risk in any case. It isn't just the employee with a grudge, it's also the ones who are unaware and walk out of the company with sensitive data, breaking company rules about data protection. It's the combination of lack of awareness among employees and the easy availability of data that constitutes the main risk. To keep one step ahead, we’ve decided to implement preventive solutions."
Stahl regularly conducts risk analyses in connection with the company data. These are based on the ISO norms for information security (ISO 27001). An inventory is made of the various ways information can leave the premises, such as through telephone conversations, in written correspondence or through storage systems like memory sticks. It is a matter of constantly looking to see where the risks lie and what measures can be taken to limit them.
Firewalls offer protection from outside threats, but other measures are needed to address the risks from inside the company. "Measures regarding e-mail are easier to devise than measures to contain the risks of memory sticks," explains Verkooijen. "If someone sends large quantities of company data outside the organisation via e-mail that can be traced. This is harder to do with USB sticks. Many employees can put large quantities of data on a USB stick quickly and walk out of the offices with it unnoticed. This is why we selected SmartLine's DeviceLock software, which monitors the use of USB sticks."
"Quite apart from the fact that the software makes it a lot more difficult to simply steal or use data, it also makes the employees much more aware," according to Verkooijen. "And that's important. Technology alone isn't enough. To achieve optimal security you also have to know why the technology is being used."
Following an evaluation of various suppliers, Stahl finally chose SmartLine's DeviceLock®. "One of DeviceLock's advantages is that you can integrate it with the Active Directory. This makes it possible to manage everything from one point. Verifiability and flexibility also played a part in our final decision."
Stahl will be using DeviceLock® extensively. Ultimately some 1,000 computers and laptops will have the program installed. DeviceLock® ensures that users cannot simply download data from the network and copy it to USB sticks, laptops and other mobile equipment. Stahl operates an internally developed system for granting authorisations. Employees are assigned to groups and, depending on the group, they may or may not be allowed to read or read and write on removable discs. Those who are not a member of a group are automatically denied all access. Ultimately approval must be given on three levels, on the basis of a workflow model. It is only when the employee's own manager, the local IT coordinator and the 'object owner' (which can be a shared file, an application or a group) have given their permission that the employee is assigned to a group and granted access to the active directory environment.
DeviceLock® supports this 'group policy'. Everything was installed and made operational during the month of June. According to Verkooijen this is the security method of the future. "Employees, and the work itself, demand more and more functionality, which generally comes at the expense of security. Conversely, excessively stringent security means less functionality and a loss of efficiency and productivity. You have to weigh up one against the other: what risks do I want to take measures against, and what risks will I accept? Technology can help to find a middle path. A program like DeviceLock, in combination with the authorisation policy in groups and in the workflow, determines who’s allowed to carry data on a USB stick, for example, and who isn't. There's also an extra way of checking up on who takes what home with them. I think we're heading more and more towards portal-type security systems."
According to Verkooijen, IT security is more than just a technical application. Raising employees' awareness is at least as important. He uses the term 'integral security.'
"This is security throughout the whole company. It can also be seen in the regulations governing company data that every Stahl employee has to sign. This is a shared responsibility of the Human Resources and IT departments. Making employees aware of security risks, and keeping them aware, is essential."