Australian businesses must get more proactive about identifying potential breaches of sensitive credit-card, healthcare and other information before it's exfiltrated from the company, according to one vendor who says sensitive data – and, often, the laptops they're stored on – are disappearing from Australian businesses at a surprising rate.
Although lost laptops during nationwide asset transfers are nothing new, many recent investigations have uncovered employees who have been harvesting sensitive data from company devices, says Rick Ferguson, regional sales manager with Cylance and former country manager of endpoint-security firm Absolute Software.
Use of the company's geofencing technology, Ferguson said, helped one Australian customer trace an employee who was in the process of leaving the company and said he had returned his system but was in fact using it at his home well outside of the city. Another company was noticing that 80 laptops might be sent from Sydney to Melbourne but only 75 would arrive; by installing geofencing software when the devices were configured, it became easy to figure out where they were ending up – and the thefts stopped.
Such proactive tracking has become critical for companies concerned not only about their valuable assets going missing, but about the massive volume of data that is stored on them and – whether intentionally or accidentally – leaked outside the company by company insiders.
“These kinds of things are real and they're happening in Australia,” Ferguson recently told CSO Australia. “Data breaches have become a permanent cost that organisations need to be prepared to deal with, and to incorporate in their data protection strategies.”
With online business meaning that most companies are floating on an ocean of sensitive data, such endpoint protection – which also includes the ability for devices to be searched for credit-card numbers or certain other types of sensitive information – is becoming a key enforcement tool for companies to meet their Privacy Act obligations as well as the requirements of data-protection standards like the Payment Card Industry Data Security Standard (PCI DSS).
Expanded endpoint-security monitoring is only one approach to better data security: for its part, security provider Tenable Network Security recently released its own take on PCI enforcement with the launch of its Tenable Continuous PCI Compliance Monitoring tool, which continuously monitors 75 percent of PCI DSS controls and reports on the company's compliance at any given point in time.
“Organisations, from big retailers to credit card payment processors, are targeted daily by cybercriminals because of the large amount of sensitive data passing through their networks and point-of-sale systems,” Tenable chief product officer Dave Cole said in a statement.
“Retailers can minimise the likelihood of a breach by integrating continuous PCI compliance monitoring into their overall security strategy, but too many organisations view PCI as a burden and treat compliance like a once-a-year project. Tenable makes it easy for security teams to deploy a comprehensive security program to adhere to compliance requirements, but more importantly, to better protect customer data from breach and theft on an ongoing basis.”
Recent studies suggest that potential compromises of sensitive data are a growing concern for a populace that is rapidly moving to embrace mobile commerce. The recent PayPal mCommerce Index, for example, found that 71 percent of Australian respondents were using their mobiles for making payments, and that 22 percent spend more than $500 per month via their mobiles.
Data security was a significant concern for mobile and potential mobile shoppers, with 46 percent citing it as a reason they weren't shopping online from their mobiles; those indicating security was a concern spent 24 percent, on average, less than those were did not.
Even as mobile shoppers rally around security as a key enabler for commerce, a recent Mimecast survey found that 91 percent of businesses recognise malicious insiders as a major threat to the company's security. Despite this, 40 percent of the Mimecast respondents said their business was unprepared to deal with those threats.
Ferguson highlighted five key areas to help businesses leverage their endpoint protection strategy to better protect internal data. These include user education; the ability to geotrack company assets that contain sensitive information; clear policies about employee use and movement of mobile assets; careful control over installed applications; and the ability to remotely audit installed applications, wipe and disable devices remotely, monitor remote usage through regular screenshotting, and encrypt data on remote devices as necessary.
“If you've put these measures in place, when it comes to cleaning up a breach or potential fines, you can demonstrate that you mitigated against those actions,” Ferguson said. “The software is out there and this can be done – but it needs to be done before the event and not after.”