An Educational Tool
Along with systems that enable clients to more easily track and monitor their data as it moves through social networking channels and email, content security vendors also offer features that are designed to prevent breaches going forward. This involves the component that informs employees about proper data sharing in the Web 2.0 environment.
“It’s about educating the employee at the time [of the action],” says Thompson. He provides an example: If an employee’s browser is on one of the social networking sites and he or she is about to copy company information onto the page, the Verdasys system will generate a pop-up box written by the client company that tells the employee why such an action isn’t appropriate and suggests the data be sent through another channel. “Many of our customers use those prompts in a soft mode, so it’s just informing the employee. But they get 80% to 90% compliance,” says Thompson. “Most people want to do the right thing. Intervening at the moment when they were going to do it, you’re giving them the perfect education. Without interfering with the business at all, you can get rid of 80% to 90% of the risks that you can identify of data moving in inappropriate ways out of the company.”
MessageGate’s solution enables companies to create policies that can evaluate an email flow in real time. “The policies look at both content in the metadata around the email—in the body itself or in the attachment—in context, who is sending to whom and who belongs to what privileged groups or communications,” explains Bradley. The technology “can make decisions based on those policies as to whether or not the email should be blocked, whether or not it should be sent back to the sender, or sent to a third party for review.”
MessageGate offers a feature called “sender confirm.” When there is a violation, such as a social security number being sent from one professional to another to help complete a business transaction, the system can halt the message. “It goes back to the sender and says, ‘This is the policy that this communication violated. Are you really sure you want to send it?’ It can not only be self-corrected, but it’s an educational opportunity,” says Bradley.
According to Bradley, the product comes with predefined policies, but it is designed for companies to create their own policies. “What we find is most of the time, canned policies don’t address what companies are looking to do,” he says. “They want it tailored to their environment and their own use case.”
Creating a Safer Environment
There’s no question that the issue of content security is at the top of minds throughout the enterprise, not just the IT department. Security vendors say that in addition to meeting with IT professionals at their client companies (mainly because of IT’s involvement in technological implementations), they are also working with senior-level leadership in other segments of the business. MessageGate’s Bradley notes that it is a cross-functional sell and that sometimes MessageGate will begin a client engagement with an organization’s corporate compliance officer or HR professional.
Dock says that DataMotion used to communicate with the IT professionals, but “it’s moving from IT people to business people. Today we’ve found it’s the business person with a very specific problem,” she says. “They have a driving need to solve a specific business problem. We used to have to go out and explain that governance is needed. People now know they need the governance and the visibility.”
Still, Verdasys’ Thompson says that the list of problems potential customers come to the company for is different from what problems are actually solved. But regardless of what brings customers to content security solution providers, they seem increasingly dedicated to provide financial resources for such initiatives. “In the past couple of years, companies have changed their security budgets to where DLP and encryption are actual line items,” says Etue. Whereas 3 or 4 years ago, it was a “nice to have” feature, it is becoming a requirement.
“Policy is not just a matter of creating these filters. It has to be tied to a coherent policy about proper usage of corporate resources, particularly email,” says Bradley. “If it’s not in place already, we encourage companies to make sure there is a coherent published policy that employees can understand. It’s an expression of culture. That’s an easy tie to this idea of a culture of compliance. You want your employees to be productive and creative, but they need to comply with corporate policies, outside regulations, and good legal practices.”
Companies will most likely have to continue to adapt their policies as new applications are created; something technology providers are ready for. “One of the things we do self-consciously with Digital Guardian is we try to future-proof it,” says Thompson. “You can never be perfect at that. But whatever next year’s risk is and whatever the new Twitter is … we try to design against that so that the worst case for our customers is they need to take an upgrade to be able to secure that.”
Companies Featured in this Article:
Fidelis Security Systems, Inc.