9 Ways to Prevent Information Leakage

blog

Although the spread of the internet has made information management more important than ever, there have been many cases of information leakage due to delays in response. When it occurs, not only is the organization’s reputation tarnished, but it may also result in claims for damages and other problems that could affect the continued existence of the business.

To remove the above risks, it is important to take measures in advance. This article therefore explains the key points of information leakage countermeasures and the main causes of their occurrence.

Countermeasures

blog

Companies manage a great deal of highly confidential information, and once leaked, the consequences are immeasurable. It may result in loss of trust from business partners and payment of large amounts of compensation for damages. To prevent such a situation, stay alert against the factors as follows.

<Countermeasures>

Object Countermeasures
Employees Develop guidelines and rules
Conduct training
Lock device and location
Implement a system to prevent misdirected emails
Protect information from a malicious third party
Prohibit individual dissemination of information
Outsiders Manage confidential information
Software Security
Perform regular system updates and vulnerability checks

Countermeasures for Employees

Develop guidelines and rules

In order to prevent human errors, each organization has responsibilities to develop and apply company-wide guidelines and rules. The policy indicated by management and the operational issues in the field should be reconciled from both sides. The templates produced by SANS will be a big help when developing them.

Reference: Security Policy Templates|SANS

Conduct training

Information security training plays an important role to increase employees’ knowledge and bring security awareness to them. Human errors are the most common factors of information leakage, and regardless of the divisions or positions, it is important to tell all employees about the risks, which will be the shortest way to avoid damages toward your organization.

Lock device and location

Losing digital devices is terrifying in that they include confidential information. Device and location lock is an essential element to prevent the risk.

Establishing operational rules is the key if there is an unavoidable need to take out or bring in work or to introduce a teleworking system. This may include obtaining permission from the responsible person, limiting devices and locations, and so on.

Implement a system to prevent misdirected emails

System implementation will help you prevent misdirected emails and incomplete attachments. In most cases, such system includes automatic sending after approval by the superior, automatic CC of the recipient, reconfirmation before sending, and so on, and these functions are effective for protecting confidentiality.

Protect information from a malicious third party

A malicious third party is a threat for information leakage. Are there any restrictions to access data? If anyone can access the environment, download data, or even just read some documents, all of the elements can cause the information leakage.

Keep documents out of view and set screensaver for computers when you leave your desk. As for disposing of digital devices and credit cards, physical destruction is the ultimate way to prevent the leakage. Establish such company wide rules after careful consideration.

Prohibit individual dissemination of information

Even if information is handled and disposed properly at a site, there are cases in which an employees’ daily action can lead to information leaks. For instance, their posts on social networking services (SNS), blogs, or in conversations with employees of other companies could be causes. Imagine how important conducting employee training is to ensure confidentiality.

Back to Contents

For Outsiders

Manage confidential information

ID and password management is indispensable for avoiding increasingly sophisticated external attacks. Thoroughly implement measures such as using hard-to-guess combinations like names, avoiding multiple use with other devices, managing them in locations that are invisible from others, and so on.

Software Security

Security software is effective in preventing the leakage of personal information due to cyber-attacks, as it can deal with new methods that standard OS functions have difficulties with controlling, thereby it will result in reducing the risk of security incidents. Make sure to update the files to keep up with the ever-evolving methods and computer viruses.

Regular updates and check for vulnerabilities

In many cases, attacks from outside parties target vulnerabilities in systems and applications. Therefore, regular system updates and vulnerability checks are necessary to prevent information leaks by outsiders.

In the unlikely event that a vulnerability is discovered, check the degree of danger and impact, and take appropriate action by installing new security tools, suspending use or enhancing the system features.

Back to Contents

Main Causes

blog

The main causes of information leaks can be categorized as human error or intentional misconduct by internal staff and malicious attacks from outside. We provide specific examples of each.

<Examples>

class main causes source factors
internal human error - lost or misplaced recording media
- careless conversation in public places or social networking sites
- mishandling of emails and systems
- employees
- retirees
- outsourcing employees
- part-time employees
- contractors, etc.
- carelessness
- lack of knowledge
intentional - unauthorized transmission of data
- manipulation
- economic reasons
- dissatisfaction with the organization, etc.
external Malicious Attacks - cyber attack
- malware infection
- eavesdropping and theft
- attackers
- threat actors
- hackers, etc.

Internal Human Error

Information leaks due to internal human error are mainly caused by misplaced or lost recording media such as laptops, documents, and USB memory sticks, as well as mishandling of emails such as wrong destinations or attached files.

Inadvertent conversations in public places also can be the cause. For instance, office building, elevator, cafe, pubs, etc., confidential information will be revealed to a third party in such locations if you are not aware of the threat. Avoid talking about your organization including the management and new products or services.

Other potential sources include inadvertent transmission on social networking services, such as posting confidential information prior to release or personal information about customers. Even if anonymous, be aware of the risk of identifying the sender and the organization to which you belong from the content of the message.

Internal Intentional Factor

Internal intentional leaks of information may include unauthorized transmission of data and manipulation by retirees. This may be due to economic reasons or distrust or dissatisfaction with the organization.

External Malicious Attack

Typical causes of information leaks due to external attacks are unauthorized access and malware infection. Malware refers to malicious programs or software that cause terminal malfunctions or information leaks. Targets are personal and customer information, misuse of IP addresses, and other occurrences. Beside that, pay attention to office eavesdropping and theft to protect confidential information.

Back to Contents

When Information Leakage Occurs

blog

In the event of an information leakage, immediate action is required to minimize the damage. This section provides a step-by-step explanation of how to respond in the event.

Step 1: Confirmation and Prompt Report

First, when you identify any signs or effects of an information leakage, immediately report it to the person responsible. Establish a structure in your organization to respond led by the person in charge, as well as policies and details of the primary response. Do not delete emails or files or perform any other unintentional operations so as not to erase evidence that may provide clues to the cause of the leakage.

Step 2: Prevent Secondary Damage

Next, first measures should be taken to prevent the information leakage from spreading and causing secondary damage. It will be considered to shut down the network system or suspending services. In the event of a personal information leakage, the affected party may be contacted and asked to change their password or stop using the service.

Step 3: Conduct a Reasonable Investigation

The next step is to investigate the cause. From a perspective 5W1H method, investigate the facts regarding the matter and try to secure evidence. When countermeasures have been clarified, companies are also required to promptly disclose the information to reduce the number of similar cases of damage.

Step 4: Announcement to the Relevant Authorities

When information leakage occurred, consider whether or not to report the incident to business partners, consumers, or the relevant ministries and agencies, or to make a public announcement. If transaction or personal information has been leaked, unless there is a specific reason to the contrary, notify business partners and the individual concerned, apologize, and alert them to secondary damage.

If the number of people are involved or the damages is remarkably diverse, announcements may be made on the website or at a press conference. In addition, if you face a request for money or suspection of unauthorized access, a prompt report to the police is indispensable.

Step 5: Take Prevent Measures

The final step is to take prevent measures based on the investigation report. There may be some cases to discuss the disposition of employees or compensation for damages to the suspect.

Back to Contents

Summary

Any conpany has possibilities that information leakage occurs. Since there are various potencial causes such as inadvertent actions by internal employees or cyber attacks, exhaustive measures must be taken to prevent leaks. Take this opportunity to implement information leakage countermeasures and reduce security risks in your organization.

As written above, countermeasures for employees play integral roles. Our elearning system, learningBOX, will be a big help to enhance employees' awareness toward information leakage and the risks. Create your own course or quizzes according to the company guidlines and rules, and implement them as in-house employee training.

Since auto-scoring system and data analysis are included as defaut, you can visualize each employee's progress. Check how much they understnad the threat of information leakage and minimize the risk.


 learningBOX

Our learningBOX offers solutions for any size of companies.
Try our Free Trial. It is free up to 10 accounts without expiration date.


▼You may also like:

thumbnail (i.e. miniature image)

Free Information Security Training|learningBOX ON

If you want to implement information security training through e-learning, you can use learningBOX ON!

Back to Contents Back to Article List
How can we help you?