The release of sensitive information by Web site WikiLeaks has caused national and international outcry, but should serve as a reminder to government and private corporations alike about the importance of securing electronic information, said Steve Salinas, product marketing manager of the forensic business unit for Guidance Software, a provider of digital investigations.
“First and foremost these recent events should be a wake-up call for organizations to make sure they understand where their data is, what is sensitive data, and who has access to it,” he said. “Organizations are very aware that they need to have solutions in place beyond typical antivirus or firewall software to help control and protect their intellectual property.”
While controlling electronic data on the network was once considered the responsibility of a company’s IT department, it now spans all divisions, including physical security. Jon Oltsik, principal analyst for Enterprise Strategy Group, a full-service IT analyst and business strategy firm, said there is growing cooperation between physical security and IT security. “Those two disciplines are coming together and are complementing each other. Security is security. It’s there to protect people and property and systems and it’s imperative the two work together,” he said.
But what role can security practitioners have in monitoring electronic data? Stay vigilant, said Oltsik. “In terms of physical security look out for anomalous behavior. An employee shows up on a couple Saturdays and Sundays and they’ve never done that before, those are things to look for,” he said. Once security professionals have identified unusual behavior, they can then work with the IT department to correlate physical behavior with electronic behavior to see if there’s also something unusual happening there.
This cooperation between IT and physical security is becoming more prominent in the work place. “As time goes on, physical security is more and more intertwined with cyber security,” said Jim Miller, manager of corporate security for NiSource, a distributor of electricity, natural gas and water in the Midwest and Northeast.
While Miller said he’s seen an increase in security professionals being able to speak the language of IT, he expects those roles to remain separate. “More and more I’m seeing people with an aptitude for both, but they still need to deploy experts in each of these areas,” he said. “It’s hard to be an expert in both.” In the last five years, he has seen more security professionals become responsible for both functions, security and IT, but there still needs to be specialized experts in each department for full coverage.
The most important step is determining the most valuable assets of a company. “First and foremost it’s critical to understand what’s important and what’s not,” said Miller. “You have to inventory and understand where your crown jewels are and understand the information and processes involved, whether it’s a piece of code or a facility.” From there, a corporation needs to conduct a vulnerability and risk assessments of those assets.
Miller said as an energy company protecting its hard assets, like its electric substations, is critical to the organization. However, it’s also important to protect assets that exist in electronic format such as blueprints of its facilities as well as its customer data.
Oltsik said companies should use the principle of least privileges, meaning only those who need access to certain information have it, but those who don’t need it, don’t have access. It’s also important for a company to limit the number of people who have access to critical information. Then, once those privileges are determined, organizations should monitor what employees are doing with the information. Are they saving information to laptops unnecessarily? Are they transferring information to thumb drives? It’s also important to set up controls. For example, a company should set up controls that employees can’t email certain types of files to email addresses outside of the company or only approved USB drives can be inserted and used to transfer information on company computers.
And finally, it’s critical for companies to educate employees about these policies and enforce compliance. “A lot of company’s create policies, but don’t educate the end user on the policy and the objective of the policy along with the consequences of violating policy,” said Oltsik.
But, it’s also important for employees to feel like an employer trusts them. “The last thing a company wants to do is make employees feel like they are constantly being monitored,” said Salinas.