Businesses today face a monumental challenge trying to contain and secure confidential content in a high-tech enterprise setting. Even employees with the best of intentions can mistakenly select the wrong email address and accidentally release information that should remain in-house. What's more, employees transport data on laptops, flash drives, iPods, cell phones, PDAs, and Blackberries, which make it simple to carry content beyond the boundaries of the enterprise and out into the world where it can be lost, stolen, or distributed without a company knowing. Besides the risk of losing or releasing critical business information such as contracts, pricing, plans, trade secrets, and more, there are a plethora of state and federal laws and regulations around protecting and securing certain types of customer data.
When it's so easy to transfer digital content, companies need a way of ensuring that only authorized parties can view critical content. Fortunately, there is a growing content security industry, which helps companies develop policies and uses technology to help ensure adherence to the policy automatically.
Drip, Drip, Drip…
On the very positive side, technology has made it easier for employees to share information, resulting in increased productivity. Many companies thrive on the free movement of information, but without help, even the most trusted employees could make mistakes with confidential content. Raj Dhingra, vice president of marketing at PortAuthority, a company whose products help organizations stop information leaks before they leave the building, defines how his company sees information leaks: "They refer to your critical information or sensitive data getting into the hands of an unauthorized recipient."
A lot of organizations are only just beginning to understand that they may have a content security problem, says Nigel Stanley, an analyst that covers enterprise security issues for Bloor Research. However, he says that when people do think about it, they often assume that the primary issue is about stealing information, which Stanley says actually only accounts for a small percentage of the problem. By focusing on the wrong area, he says, companies are missing the bigger problem of employee negligence. "Content security is a massive, massive problem," says Stanley "but only a very small number of people are stealing data. There is a high number of people making mistakes and leaking data because they are incompetent or badly trained. So the problem is multi-faceted. It comes from a range of human behavior, from carelessness all the way to malicious intent."
Another issue, according to Miriam Wugmeister, a partner at Morrison & Foerster who specializes in data protection law, is understanding that failing to protect certain types of data can result in legal problems. She says, "Generally speaking [in the United States], we don't have an omnibus privacy law. Instead we protect information that we think is particularly sensitive like financial, health, or information about kids and we are concerned about how it is used," she says.
Wugmeister explains that under the privacy laws in California (or one of 17 other states that use California as a model), for example, if a company collects social security numbers, drivers license numbers, or bank account information with a PIN, and any unauthorized access occurs, the company must give public notice.
Interestingly, this means that even though organizations are not legally bound to protect this information, those that want to avoid the bad publicity of admitting a leak will take steps to protect it in the first place. "A lot of it is about trust. If you are a company that had been in the news multiple times because you've had data leaks, then consumers are less likely to want to do business with you," she says.
Wugmeister has found that companies are all over the map when it comes to security preparedness. However, she says that in addition to those needing a content security system, she gets several calls a week from companies that have a system in place but want her to work with them to write more meaningful policies and procedures to prevent information leaks.
Stopping (up) Leaks
One way to prevent information from leaking is to monitor network traffic, whether it's internal or outbound traffic. Chip Hay, senior vice president of marketing at Code Green Networks, says that using a content monitoring appliance like those made by his company can help prevent leaks to unauthorized recipients. "It sits at the gateway between an organization's internal networks and the internet and it monitors and inspects all of the content flowing through the gateway." Hay says, "We can figure out, for example, that the attachment to an email is a PDF file. We can check the attachment for sensitive information, and if it does have sensitive information in it, then a management-defined policy is invoked and executed."
In fact, Dhingra says, his team at PortAuthority has identified three primary ways that information gets into the wrong hands: data in motion, heading outside the organization; data at rest, which involves data inside the organization, whether moving via email or going to a shared networked printer; and data in use, taking information and storing it on a device such as a USB drive. "All of these are ways information can be leaked at the desktop level," according to Dhingra. "When an enterprise is thinking about securing data, they need to build a comprehensive plan looking at all three types of data in the framework."
For instance, Dhingra says a bank may want to look at data in motion to prevent confidential information such as bank account numbers and PINs from getting into the wrong hands. If this bank has 100,000 emails going out every day, and they figure 5% might have confidential information, they can begin a policy that looks at data in motion, then refines this policy to only include what the bank has identified as confidential content.