Case study: Savills Hamilton Osborne King

Insiders have trust and access, making fraud hard to detect and prevent

Concerned about the potential security threat posed by the increasing proliferation of USB memory sticks, which could be used to store downloaded confidential data from company networks, Irish property agent Savills Hamilton Osborne King decided to do something about it. Kevin Gregory, senior business and IT manager, was worried about staff attaching unauthorised devices to their computers.

‘We felt that the increasing use of USB devices – personal organisers, phones, iPods, cameras as well as USB memory sticks – could leave our business potentially vulnerable and we wanted to act on this,’ he says.

‘However, we also wanted to strike a balance between safeguarding commercially-sensitive information and facilitating the day-to-day running of the agency.’

With more than 240 staff in four offices, Savills Hamilton Osborne King operates in the commercial and residential sectors, and is privy to a significant amount of commercially-sensitive data, including property prices as well as confidential client and contract records that are stored on its IT systems.

‘While we have not experienced any known incidences of data theft, there is always a risk,’ says Gregory. ‘The amount of data that could be pulled onto an iPod is enormous, and even a camera could be used to download data onto the memory card. This project was about minimising risk and removing temptation.’

The company wanted a flexible solution that would allow nominated staff – typically senior managers – to make use of USB devices to carry presentations to clients and carry data between different branches. At the same time, it wanted peace of mind that unauthorised users would not be able to take advantage of an unattended computer and download confidential documents.

‘We chose SecureWave’s Sanctuary device control because it gave us the flexibility to allow nominated staff to access specific files and applications on the network with their USB memory sticks,’ says Gregory. ‘Other products seemed to be all or nothing – you could grant access to all users or none.’

The Sanctuary system works by defining a permitted list of devices with access to the network and denying all others. In addition, a central shadow copy of any data accessed and copied onto a device is created and retained for audit and traceability purposes.