January 11, 2008 — CIO — Data breaches happen all the time in industries ranging from retail to government. Protecting data is a key concern for CIOs, but there are a lot of misconceptions about data protection. Here we'll debunk some of the myths and explain best practices for protecting data without impeding daily business operations.
Myth No. 1
Information leak prevention is the security administrator's problem.
Securing companies from external threats such as viruses has long been
in the security administrator's realm, but securing the company from
information leaks requires a much broader view. Today, the challenge of
protecting sensitive data spans business units—from IT to the legal
department to the boardroom. Every day, CIOs face the challenge of
putting the necessary technologies and processes in place to protect
confidential data and comply with federal regulations, but they have to
accomplish this without impeding daily business operations.
Myth No. 2
If I block instant messaging, Web-based e-mail and external storage devices, I don't need to worry about information leaks.
Controlling instant messaging, Web e-mail and external storage devices
may increase basic data security; however in today's connected world,
putting tight restrictions on information flow can hinder business
process and ultimately constrain company growth. Effective leak
prevention requires the ability to keep information inside the
company's walls without disrupting its legitimate use for normal
business operations. Information management requires a balanced
approach. Best practices include building leak prevention policies
around things like instant messaging and Web usage, as well as using a
growing number of technologies such as endpoint security and encryption
technology to enable employees to leverage external storage devices
safely.
Myth No. 3
I know where my data resides.
Most companies don't have a good handle on where their data lives,
whether on file servers or company laptops. Understanding who has
access to data and where it flows inside and outside the network is
crucial to managing information. In addition to identifying sensitive
information, CIOs must understand other areas of exposure, such as
unsecured endpoints and whether Internet use policies for common data
loss vectors (like instant messaging and Web surfing) exist and are
being enforced.
Myth No. 4
I should be most concerned about protecting my data from data theft and malicious internal leaks.
Malicious data leakage and theft is certainly important to address;
however most leaks are not intentional. Mistakes, deviations from
existing business or IT processes, and the negligence of employees and
contractors can result in leaks. In fact, according to Forrester Research,
more than 70 percent of all leaks are accidental. With e-mail auto-fill
for the intended recipient on nearly every computer, it is easy to see
how e-mails accidentally get sent outside the corporation. When
developing an effective information leak prevention strategy, you must
focus on accidental data loss to address the majority of the day-to-day
risk.
Myth No. 5
Information leak prevention technology is complicated and expensive; it's not worth it to install.
Every organization is different and the potential cost of a leak
varies. However, much research has been done, analyzing the experiences
of such victims as TJX, which recently set aside $118 million to
address its breach. Forrester Research quantifies the cost of losing
customer information between $90 and $305 per record, depending on the
type of information lost and the business. However, customer
information represents only a portion of what most of us see leaked
daily. Confidential information, such as M&A plans, earning reports
and intellectual property can have a far greater impact on the business
if leaked. It's up to each company to conduct a risk management
assessment to quantify the expected cost of a breach. From there,
companies can determine whether implementing information controls such
as information leak prevention technology are justified—in most cases
they find that it is.
Myth No. 6
My employees understand what they can and can't send out of the company.
Most employees don't intentionally leak information and, given the
right training and education combined with information leak prevention
technology, the risk of data leaks diminishes significantly. However,
the majority of employees don't know their company's policies.
Employees often don't understand why sending work home through Web mail
is risky or why password protection is important. In an increasingly
mobile work environment, employee training is even more important.
Best practices for employee education begin with communication. Employees should be given training during their new hire orientation, followed up with annual refresher courses that teach them what information can be accessed and how it can be used. The second step is to use technology to provide continued education and policy reinforcement in an automated capacity. For example, with an information leak prevention solution, managers can have an automated message sent to employees who have violated a policy. The message lets them know why the communication was in violation of a policy and encourages them to act differently in the future.
Myth No. 7
Information leak prevention technology will hinder my business operations.
Contrary to what many CIOs think when they hear the words "information
leak prevention," the right solution can actually improve business
processes. If you implement a product that has the context of what the
data is, who is sending it and its intended destination, information
owners can be notified when a violation is triggered, without IT's
involvement, reducing administrative overhead while reinforcing the
principle that the problem of information leakage can and must be
addressed within the business units themselves.
Myth No. 8
If I deploy information leak prevention technology I will be overrun with false positives.
The ability to discern between real leaks and business as usual is
crucial to maintaining the balance of security and operational
effectiveness. Certainly some information leak prevention solutions
have a high rate of false positives (and negatives). To avoid the high
and costly rate of false positives and negatives, look for a solution
that has accurate detection capabilities for both structured and
unstructured data. Make sure it has a granular set of policy controls
and mature enforcement capabilities to ensure you can set and enforce
policies around the user, the data, the destination, corporate
governance and regulatory compliance.
Myth No. 9
Only regulated industries need information leak prevention technology.
Consumer data is not the only information companies need to worry
about. Every organization has intellectual property that is critical to
protect. If an entertainment company lost an important script or a
clothing company leaked next year's designs, the loss could be
staggering to the business.
Myth No. 10
Information leak prevention technology will solve all my data leakage problems.
Information leak prevention technology provides a method for
discovering where sensitive data resides and then preventing that data
from leaving the organization via common communication methods like
e-mail and instant messaging. However, the technology must be used in
concert with employee education and can be used with technologies such
as document rights management, encryption, endpoint security and, of
course, physical security measures. The goal of information leak
prevention is to vastly reduce the risk of data leaks and to provide a
way for companies to track and respond to critical violations quickly.
Jim Haskin is the chief information officer for Websense. He is responsible for all aspects of Websense's IT direction and execution, including operations, infrastructure, applications and internal customer support functions.