While data loss may cause some to think about hackers or internal theft, for many organizations negligence, and internal misunderstandings are more likely the culprit. In 41% of the cases, according to the Ponemon Institute's annual study of data costs this year, accidents were the culprit behind data breaches. The real problems for companies come from either not having an information security policy in place, or employees who don't know or understand what that policy is.
Thomas Logan, CTO of HiSoftware, a provider of web content and compliance software such as Compliance Sheriff, says that the issues the company sees most with regarding data loss are mostly internal, non-malicious.
In a time dominated by social networking and instant connections, Logan says, "People are on Facebook and finding out how information accidentally leaks that they post about themselves. Anyone can actually relate to that experience of accidentally posting something or accidentally exposing information."
"Everyone can understand ‘I could accidentally paste this here or post something in the wrong spot' and that could leak really sensitive information," says Logan. While this can happen on a personal level, the real problems occur when this happens within a company. When people within an organization don't understand what the security policy is, they can accidentally share information they didn't even know was secure. For example, someone may post information on a social networking site about a new product without knowing they shouldn't do so.
"It's often not someone maliciously trying to do the wrong thing," says Logan. "It's literally just clicking to the wrong location in the UI and uploading the document that then gets exposed."
For example, one of HiSoftware's customers, a bank, was acquiring another bank and this was considered sensitive information. "We were able to institute ‘no discussion on public areas about this acquisition' into the rules engine to prevent that from happening," Logan says.
It's not just proprietary company information that is at stake, however. Companies often have sensitive customer information, such as social security numbers. It becomes problematic when the people with access to that information do not understand the guidelines for how and where it can be shared.
"We can enforce that those sensitive types of documents don't get published in the wrong places," says Logan. "There's nothing inherent in a content management system that prevents the loss from that perspective because once you secure things with security groups you make the assumption that everyone in the organization actually understands what those groups are and the proper placement of those documents. We see frequently that that's not well understood across the organization."
For organizations to prevent data leaks due to internal malfeasance, the first step is forming and implementing a policy for governance, risk management, and compliance. "The most important is thing is having an identified group or- depending on the organization's size-person responsible for putting the organization's requirements into a document that the organization follows," says Logan. "That's the first piece. Many organizations don't even have a stated policy."
The next step would then to be to educate and inform those within the organization. "But without having a policy in place first, an organization really has no way to even start educating [the people within] the organization," says Logan, "on what they need to do to make sure the information doesn't leak."