Information Leakage Countermeasures: Causes and Solutions
Information leakage risks are a constant concern for all companies, regardless of industry or sector. To minimize the damage from potential or actual information leaks, it is crucial to develop thorough countermeasures in advance.
This article explains the causes and risks of information leakage, and the key points to consider when implementing information leakage countermeasures. We will also briefly introduce how to respond in the event of an incident, so please read on.
Table of Contents
- Risks of Information Leakage
- Key Points for Information Leakage Countermeasures
- How to Respond to Information Leakage
- Summary
1. Risks of Information Leakage
There are three main types of information leakage: “Confidential Information Leakage,” “Customer Information Leakage,” and “Personal Information Leakage.” All of these can cause significant damage and must be strictly managed.
For example, the following risks are associated with confidential information leakage:
Risks of Confidential Information Leakage
- Loss of competitive advantage due to leaked business strategies
- Loss of market share to similar products developed based on leaked product information
- Damage to the company’s reputation due to perceived lack of information management capabilities
The main risks associated with customer and personal information leakage are as follows:
Risks of Customer and Personal Information Leakage
- Penalties under personal information protection laws
- Loss of trust from customers and society
- Loss of customers
- Suspension of business transactions
- Lawsuits
- Stock price decline
- Financial compensation
- Decreased future profits and sales
- Significant time, cost, and personnel required for post-incident response
1-1. Causes of Information Leakage
According to statistics released by Tokyo Shoko Research in 2021, the top four causes of information leakage at listed companies and their subsidiaries are as follows:
| Virus Infection/Unauthorized Access | 49.6% |
|---|---|
| Misdisplay/Misdelivery | 31.3% |
| Loss/Improper Disposal | 11.6% |
| Theft | 5.8% |
More than 80% of information leakage incidents occur via the internet, highlighting the importance of cybersecurity measures.
2. Key Points for Information Leakage Countermeasures
For information leakage via the internet, the introduction of information security software and tools is effective. At the same time, it is necessary to provide sufficient security education to those who handle information, and to establish a management system with key points and thorough dissemination of rules.
Here are seven key points for information leakage countermeasures.
2-1. Be Careful About Taking Data Out
To prevent information leakage, it is important to prevent information that should remain within the company from being taken outside. First, aim to establish internal rules for handling information.
Examples of Rules Regarding Taking Data Out
- Separate business and personal devices/addresses
- Do not take company computers or memory devices outside the company
- Use double locks on devices used outside the company
- Do not allow others to touch business devices
- Encrypt data taken outside the company
- Always obtain permission before sending data externally
- Do not use online storage not designated for business purposes
- Do not conduct business in undesignated or unauthorized locations
2-2. Be Careful About Leaving Data Unattended
Leakage also occurs when company or organization information is left unattended. Typical countermeasures include the following rules:
Examples of Rules Regarding Leaving Data Unattended
- Do not leave business smartphones unattended while charging
- Lock computers even for short absences
- Do not leave printed documents unattended
- Do not leave documents or memory devices unattended when leaving or going home
- Lock shelves storing documents and memory devices
- Do not leave business memos or notes in visible places
- Do not make detours or leave business devices/documents unattended
2-3. Be Careful About Discarding Data
There are many examples of leakage accidents caused by carelessness when disposing of information assets.
Even after information is no longer needed for business purposes, it is necessary to thoroughly manage documents and devices containing important information.
Examples of Rules Regarding Disposal
- Do not leave documents, devices, or memory devices scheduled for disposal in places where anyone can see them
- Do not dispose of items containing information assets with general waste
- Erase hard disks of computers and servers before disposal
Particular attention should be paid to the fact that “initialization (formatting) does not erase data.” Either outsource to a specialized vendor or train personnel within the company to handle this.
2-4. Do Not Bring Data In
In addition to taking data out of the company, thorough rules are needed for bringing data in.
This includes not only devices such as computers, but also programs and viruses.
Examples of Rules Regarding Bringing Data In
- Do not connect personal devices/memory devices to the company network
- Do not download programs that are not necessary for business
- Do not use data, programs, Wi-Fi, online services, memory devices, or cards that are not designated for business or have not been authorized
- Do not browse websites unrelated to business
- Do not use business addresses for personal use
- Always keep device OS, applications, and security software up to date
2-5. Be Careful About Lending, Borrowing, and Transferring Data
Not only the devices used for business, but also the lending, borrowing, and transferring of individually assigned privileges for programs and servers require attention. If the number of people with unauthorized privileges increases due to reasons such as “being busy” or “troublesome procedures,” it can lead to information leakage.
【Examples of Rules Regarding Lending, Borrowing, and Transferring】
- Do not share IDs or passwords without permission
- Do not reuse the same ID or password
- Do not write down IDs or passwords in visible places
- Promptly revoke the privileges of people who do not need them for business purposes
2-6. Do Not Publicly Disclose Information
Although the image of “confidentiality obligations” is strong for doctors and lawyers, it is fundamental in every company to “not divulge information learned in the course of business.”
In general companies, awareness of confidentiality obligations may be weak, so regular reminders and internal education are necessary.
【Examples of Rules Regarding Public Disclosure of Information】
- Do not post company information on SNS or bulletin boards
- Do not talk about complaints about superiors or colleagues in bars, etc.
- Do not make phone calls containing business information in public places
- Do not provide information to parties whose identity cannot be verified
2-7. Report Problems Immediately
No matter how strict the rules, it is impossible to completely prevent management mistakes or troubles as long as people are involved in the operation. Even if you face an emergency, create rules to minimize the damage.
The worst thing to do is to conceal the fact that information leakage has occurred. The longer the time since the information leakage occurred, the greater the size and scope of the damage will continue to expand. In addition to thoroughly enforcing “people who cause information leakage or find leakage must report immediately,” it is also important to create a system that makes it easy to share the situation.
3. How to Respond to Information Leakage
Although the details of the response will differ depending on the type of information leakage, the basic response methods are the same.
| 1 | Discovery/Reporting |
|---|---|
If information leakage is discovered, prompt reporting and preparation for response are required.
|
|
| 2 | Initial Response/Situation Assessment/Start of Investigation |
Set up a response headquarters and take emergency measures to establish basic response policies and prevent the spread of damage.
|
|
| 3 | Notification/Reporting/Public Announcement/Continued Investigation |
Continue the investigation in cooperation with each department, and notify, report, and announce the information leakage.
|
|
| 4 | Suppression Measures/Recovery/Continued Investigation |
Take measures to suppress the spread of damage caused by information leakage and to restore what is necessary for recovery.
|
|
| 5 | Post-Incident Response/End of Investigation |
Troubleshooting and investigation are completed after considering future countermeasures.
|
Summary
Information leakage is an accident that can happen to any company. If information leakage occurs, there is a risk that not only will trust from customers and society decline, but also significant damage will continue for a long period of time.
In order to reduce the possibility of information leakage, in addition to ensuring that employees thoroughly follow information security rules, it is also important to create a highly reliable security environment. If you are looking for a security system that is easy to understand, comfortable to operate, and has advanced technology, while also being cost-effective, please contact globalsupport@jiran.com.
Virus Countermeasures Security Software “EXO Security”
Click here for EXO Security usage fees
Click here for EXO Security features
