This snapshot, taken on 26/07/2008, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
 
 26 July 2008
Department for Innovation, Universities and Skills (DIUS)
 
You are here:
 

Prevention

Prevention of information theft requires a wide range of countermeasures. Some are preventative, some detect theft attempts and others provide a means to recover.

If you suspect that someone has attempted to steal information, you may find our Theft Recovery  and Incident Response  pages useful.

A common analogy amongst information security specialists is to view security as an onion, with each layer of the onion depicting a barrier to a would-be intruder. Using this model, the main layers would probably be:

It is essential to remember that no one single set of controls will provide a solution. In most cases, a balance of physical, technical and people-based controls usually provides the answer.

Few problems have single causes. To protect information properly, you need multiple defences. If you are concerned about the risks for your company, check our Theft Risk  page.

The following basic steps can be taken quickly to reduce the likelihood of information theft:

  • Make sure you know the sensitivity of your company information - consider performing a formal risk analysis
  •  Make sure your people know what's at risk. If they routinely handle sensitive information, make sure they know how it should be handled - and what the consequences for disclosure are
  • Establish appropriate physical security  controls
  • Use logical access control whenever possible; make sure people understand any password rules and that each individual has their own ID
  • If sensitive computer information is likely to be carried outside your company premises, consider using cryptography as a means of protecting it
  • Think about encrypting your company's laptop hard discs
  • Harden your computer systems using the appropriate technical builds
  • Consider performing (perhaps using a third party) a penetration test to highlight your strengths and weaknesses
  • Consider installing an Intrusion Detection System 

Physical Security

Physical security is an effective but often overlooked way of keeping information safe.

By preventing direct access to a paper file, or preventing access to a computer workstation, you can stop many theft attempts in their tracks.

Physical controls need not depend on a single barrier, such as a turnstile and a security guard at the front door. You can 'double-up' by providing additional security around sensitive areas, such as equipment rooms.

Prevent casual access to sensitive departments such as Human Resources and, on a smaller scale, use lockable filing cabinets and safes to protect valuable items and information.

For more information on physical security, check the Physical Security  page. This includes information on protecting items like laptops and mobile telephones.

Technical Controls

There is a multitude of technical tools and techniques to protect information from theft. These include:

  • Logical access control
  • Cryptography
  • Hardening of systems
  • Penetration testing
  • Intrusion Detection Systems (IDS)

Your choice of control tool or technique is fundamental, and should be based on risk management. There are other constraints and conditions (such as your company's technical configuration) that limit your choice, but the most important thing is to choose appropriate controls to meet the risk.

Part of the risk management process should consider the environment. Information might be safe when manipulated and stored on an in-house local network. But it could become vulnerable when stored on a laptop used by a manager who often works from home.

People-based Controls

The most common people-based controls are:

There is no stronger control than an informed, attentive and motivated employee. They are able to spot anomalies and other odd events much better than automated systems.

Contracts and Non-Disclosure Agreements are powerful preventative controls, as they make it clear to any employee or contractor what is and is not permitted. They can also be used retrospectively in the event of an incident as part of the recovery process.

© Crown copyright 2008