Corporate security lapses are once again sweeping the news hour, but these days the culprit is just as likely to be an inside source -- a paid employee at a reputable company -- as a hacker doing evil somewhere in a Moscow basement.
Pity poor Boeing, which made headlines in December after personal information including salaries, Social Security numbers, and home addresses of approximately 382,000 retired and current employees, was stolen. According to news reports, a thief made off with an employee's laptop. Unfortunately, the laptop's owner violated Boeing's policy by failing to encrypt the data after it had been downloaded from a server. In an e-mail sent to Boeing employees, Jim McNerney, chairman, president, and CEO wrote, "This latest incident resulted from a clear violation of our data-protection policy."
That wouldn't surprise Brian Contos, CSO of security vendor ArcSight and author of Enemy at the Water Cooler: Real-Life Stories of Insider Threats and Enterprise Security Management Countermeasures. In the book, he notes, "Too often policies and procedures are outdated, forgotten, not well-communicated through awareness programs, or not even written."
Financial liability aside, information leaks can disrupt corporate strategy and leave an embarrassing bruise. In January, full details about Cingular Wireless's latest Palm Treo 750 were leaked to the Web a week before the announcement date. A sales presentation that was supposed to be embargoed until the big day instead made its premature debut on
Such events are leading to a surge of interest in ILP (information leak prevention), which targets policy-compliance monitoring and enforcement pertaining to information on the desktop and all data that moves along the internal network and across the corporate boundary. "Maybe we were naive, but until we installed PortAuthority at the beginning of 2006 we had no system for auditing [outbound] e-mail," says Ron Uno, an IT manager at Kuakini Health System and a key player in an ongoing effort to be HIPAA-compliant. "It flags everything [suspicious]."
A Fortune 1000 CSO who asked that his name be withheld describes both the frustration and urgency bound with ILP. "If an employee goes against company policy and takes data home to be more productive, how would I know? Not a single person in any company knows where all the data is. And if you don't know where the data is, how can you even begin to protect it?"
Here's the plan
Protecting information assets will always be a challenge of the highest order, but there are specific tasks you can perform to decrease your risk.
The first step in the ILP process is to develop a data protection policy. Corporate security officers should evaluate their ILP threats and institute risk-appropriate solutions.
Company officials must first decide what information is important to keep confidential. How can the data be accessed? Who can access it? When? And for how long? Information must be assigned a value, using implicit and explicit costs. The relative threats and risks to it must be evaluated, and a cost-of-defense threshold developed. A determination must be made as to how much the company is willing to spend to protect its confidential information.
Defining the confidential and critical information, the risks to each type of information, and the value to the organization allows ILP planners to focus on mission-critical assets first. In short, a data-protection plan follows the same steps that an organization would take when developing a business continuity plan -- only the focus is different. In a business continuity or disaster recovery plan, the focus is on the infrastructure and processes, and what it takes to make a company's mission-critical tasks operational again. A data protection policy is by contrast information-centric.
After the data-protection policy is developed, educating employees is the next order of business. Understanding and adhering to the policy should be part of the hiring package, and employees should know the consequences, for example, for taking home data without permission. Further, there are numerous policies to prevent information loss that leave users out of the loop, regardless of whether or not their intentions are malicious. One is to ensure that backup media is encrypted by default; another is to disable USB to prevent loss by way of flash memory drives. Whatever the policies are, they should be clearly communicated to staff and contractors in writing.