Protecting data from theft in a small business

Hi ,

One of my clients is currently reviewing one of their employees for discipline. I am concerned that the employee may be disgruntled and try to do some damage.
Namely copying the contents of the Dropbox Pro which contains all the company data to perhaps a USB stick and taking away with them. This is an unusual situation as its a small company of 5 employees. But i want to try and protect the data from theft. Of course without proof there is nothing i can do. Apart from locking USB ports , is there any logging software that can track the movement of files such as copying and pasting on Windows?

Thanks
D
DominicIT ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PerarduaadastraCommented:
There are numerous such utilities available; search for "file access monitoring" to see if anything is on offer that fits your situation.

In the meantime, would restricting the user's Dropbox access to read-only be any help?
0
SoHandyCommented:
Again with the help of software you could disable usb ports. Not going to stop someone if they are somewhat IT literate, they could get the files off using a different method, ie their own dropbox or equivalent
you can disable USB ports also via group policy locally on a pc

But file access software too as previous post mentioned it all requires some sort of investment, but most small companies couldnt afford a lot of these software packages
0
EirmanChief Operations ManagerCommented:
I haven't used it but LOCKLIZARD looks very promising.
It's DRM based and is quite expensive.

https://www.locklizard.com/stop-copying-downloading-emailing/

REVIEWS
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

McKnifeCommented:
Win 8 and Win10 offer removable storage monitoring. Are these OS' in use?
0
Radhakrishnan RSenior Technical LeadCommented:
Hi,

The default windows event logs doesn't have modify/copy monitoring features, you need rely on 3rd party tools as you mentioned. Even though you blocked the USB ports, the user still can copy across to some other destination like cloud, dropbox etc. So, the only way to use an agent which can be monitor whenever they touch any files from the local or network folders. You can try the below agent but it's a cost option.
https://www.varonis.com/products/datadvantage/
0
McKnifeCommented:
"The default windows event logs doesn't have modify/copy monitoring features" - that's incorrect. Reading and writing can both be monitored. It's off by default, that's all.
0
Radhakrishnan RSenior Technical LeadCommented:
Windows file activity events like Create vs Modify, missing information failures (in case of an operation that was rejected due to insufficient permissions), Cut and Paste, these type of activities can't monitored via event logs even though you enable security audit.
0
McKnifeCommented:
Look, if you want to monitor writing files to USB-drives, you can do it with auditing. We do it.
0
EirmanChief Operations ManagerCommented:
The problem with Logging is .....
That they are viewed after the event and that irretrievable damage may already have been done.

You could be locking the stable door after the horse has bolted!

It's like watching a CCTV recording of thieves carrying all your valuables away.
You might catch the thieves but you'll never get your stuff back.
=========================================================
I don't know what type of data we are dealing with here.
It may be convenient, but, is it really necessary to keep sensitive information on dropbox.

How about categorising your data locally and have the really critical information
accessable on a dumb terminal (no internet/usb/writer)

Use dropbox for strongly encrypted backups.
0
McKnifeCommented:
Eirman, he is not concerned about the past but about the future.
USB monitoring: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-removable-storage
0
EirmanChief Operations ManagerCommented:
Eirman, he is not concerned about the past but about the future.
@McKnife - That's patently clear. Please re-read my previous post which relates solely to the future ....

Dominic Said ....

I am concerned that the employee may try to do some damage - Namely copying the contents of Dropbox


Logging is no protection against future copying.
Securing your data/hardware now is the only way.
0
McKnifeCommented:
Right. I misunderstood and thought you were thinking that he tried to get info about things that had been copied in the past :-) Sorry.
Your warning perfectly applies, agreed.
0
DominicIT ConsultantAuthor Commented:
Thanks for all responses and hot debate.
Essentially, i want to skip locking down USB ports. Its hassle and in any case like you said its easy to copy data elsewhere.
In an ideal world something that would have monitored file copying would have been ideal. Yes i am of course interested in implementing security from the ground up but right here right now i cannot break down the infrastructure - it needs planning. Yet i have this situation in my hands where existing data may be stolen. So i was interested in logging because then i can check through after and prove if something has been done covertly, the employee could be easily traced. I was even considering installing some form of software that records the screen, however i realise this could be controversial and likely bandwidth/disk space heavy.
With GDPR round the corner i am keen to move the important data onto a safer and more hierarchical Cloud service where i can allocate access via permissions, this would save a lot of the current hassle. Does anyone know if Dropbox for Business actually does this ? This could be beyond the scope the current question so let me know if i need to open a new one.
0
efrimpolCommented:
see below link explaining folder permissions;

https://www.dropbox.com/guide/admin/share/set-folder-permissions
0
McKnifeCommented:
No matter where your data will be stored: anyone how can read it, can also copy it - there is no technical difference so we cannot prevent copying unless you take away read permissions as well.

Professional solutions will use digital rights: the data will be encrypted and only be readable on entitled computers or by entitled users after those contact a right management server ("RMS"). That way, the RMS admin can change the entitlement at any time and revoke permissions which will make copied material unreadable. Still, this is no cure against all scenarios, since people can of course film the screen while scrolling through pages, or make screenshots and the like. So you can make it harder, but never impossible.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DominicIT ConsultantAuthor Commented:
Thanks @Mcknife. i think right now i will speak with the directors of the company and confirm with them which data doesnt need to be on Dropbox right now due to privacy. I will segregate the data and leave on Dropbox the data that is potentially less sensitive. Monitoring and setting up an RMS server sounds beyond necessity and overcomplicated for a small Solicitors firm. I will look for an alternative Cloud filing system such as Box which i can use for confidential data and stick with Dropbox for the rest OR upgrade to Dropbox Biz.
0
DominicIT ConsultantAuthor Commented:
Thanks everyone for the feedback - Its not worth the effort or investment to monitor. I will start separating the sensitive data right away and be done with it.

Thanks
Dom
0
Ashot OganesyanCommented:
You may try DeviceLock DLP. The trial version is freely available on the website. It has a lot of data and port control features. You can not only control USB ports and devices but also check the files contents against the specific rules. Also, you can control cloud storages, social networks and web mails...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.