Build a Security Policy
Whatever solution you choose, the technology is only as good as the policies that support the solution. Once a system identifies that content is at risk, it will use company-defined policies to decide how to handle the risk. For instance, Dhingra says an organization could choose to warn people they are sending private content. Or a company may choose to quarantine the information until someone with authority has had a chance to look at it, or perhaps the system would send the email sender's manager an email indicating that the employee is sending sensitive content by email.
Ken Rutsky, vice president of marketing at Workshare, says a policy has to include several elements. Workshare's solution is based on policy management capability that allows organizations to define the conditions for triggering risk as well as the appropriate actions based on type of risk and sender and recipient.
Attorney Wugmeister believes that in order to succeed, polices have to be written by a team made up of IT, legal, and HR, and these departments need to work together. She says, "I think you have to have partnership between lawyers and IT and HR to make it work. Companies that get into trouble don't coordinate efforts. If it's just the lawyers writing the policies, it won't work."
What's more, she says that polices have to be simple and achievable to work. If they get too complicated, they won't be used. "One of the things I see is big IT policies that are aspirational but not achievable, so as soon as you've written it you are out of compliance," she says.
One way Dhingra says PortAuthority has tried to reduce the complexity of policy writing is by providing a library of prewritten policies to give companies a head start. "The approach we've taken provides about one hundred and fifty pre-built policies for various types of requirements; many for regulatory requirements." So, if the PortAuthority product sees data moving that is covered under certain regulatory requirements, this could constitute a policy violation and trigger a company-defined action.
Keep Business Moving
While organizations are working to define meaningful policies to prevent leaks, according to Dhingra, they should avoid making polices so restrictive that they stop the natural flow of information in a business. Many companies have important relationships with business partners, for example, and need to share confidential information. "At the end of the day, this is critical information and you need the right policy. You don't want too many false positives or false negatives. If you cast a wide net, you may get too many false positives. If it's too narrow you may miss stuff," says Dhingra.
Rutsky says Workshare's system continually evaluates policies. "We ship pre-packaged policies, but we also have a five-step methodology: educate, assess risk, develop policy, implement and monitor, and tweak." He says his company instructs customers that reviewing and adjusting policies is key to successfully managing content security.
One issue that could arise may be that employees don't like the idea of being monitored. Hay says, "Implementing the monitoring system may seem like a Big Brother type of thing, but the risk of losing information is so great that good governance is starting to demand that companies do something."
As with any company-wide effort, the more buy-in there is from upper management, the more likely a policy initiative will work. Wugmeister says, "Whether or not the effort works is directly related to how much support there is from senior management. If the legal or IT people do this without support, it can be very difficult to pull off."
As companies face growing content-control issues, having a system in place —technological and/or policy-based—to help keep content in the right hands is becoming critical. While there are a number of approaches an organization can take, it is important to know where content is going and to bring it under control. As Wugmeister says, you probably won't stop people who are bound and determined to steal content, but you can do a lot to control accidental leaks, and that could go a long way toward preventing information leaks.