Organizations invest huge resources developing security policies and procuring protective technologies that point outwards at hackers, spyware and viruses. However, organizations are beginning to realize that there is another aspect to data security - the inside-out leakage of information. Not only do organizations need to worry about the release of valuable intellectual property, but they now also face increased regulation and oversight on issues ranging from consumer privacy to financial disclosure. All of this in an atmosphere of government and consumer mistrust of business that has raised the bar on both actual intended behavior and the due course exhibited in protecting both consumer and shareholder information.
Information Is Leaking
Information security is a growing problem in organizations of all sizes. Documents that include private customer data and other confidential or otherwise sensitive information are leaving U.S. organizations through email and other channels such as Blackberry's and USB drives at an alarming pace.
In recent research sponsored by Workshare and conducted by The Insight Advantage it was discovered that the majority of corporations and government agencies in North America have no idea how much sensitive data is leaking out of their organizations. The objective of the information security study was to gather insight from executives who have the following responsibilities in U.S.-based organizations with at least 1,000 employees: IT Security, Risk, Privacy, Compliance, and In-House Counsel regarding the challenges they face in protecting organizational information that is considered confidential, financial or private customer data.
Band-Aid Approaches Don't Alleviate The Problem
Executives who participated in the study represented a broad spectrum of industries, including financial services, government, manufacturing, technology, insurance and healthcare. Results gathered from the 359 executives who participated in the study showed an overwhelming awareness of information security enforcement challenges and the fact that attempts to solve them through point solutions like PDF conversion, encryption and other inadequate technologies are simply not effective. Executives are most concerned about customer data leaking and the subsequent impact, especially negative perception of the organization's brand and loss of customers. Alarmingly, the current solutions used, regardless of industry, fail to solve the problem of information leaking or alleviate executive concerns.
Awareness Only Part Of The Cure
The study shows that the level of awareness about the risks and cost of information leaks is high.However, the study also confirms that the recent rash of publicized information leaks is only the tip of the iceberg; information is leaking out of organizations in large volumes. Moreover, executives responsible are running on blind faith that the incomplete solutions they have deployed are enough - despite their concern over and the existence of information leaks via electronic channels.This survey serves as a wake up call to develop and implement a comprehensive data leak prevention assessment and risk mitigation plan.
Threat Is Huge
The scope of this 'inside-out' information security threat is staggering. According to recent data, the 200 million business users of Microsoft Officesend over 100 million documents over email daily. This amounts to over 125 documents per employee per year. And this number is only taking into account the information shared over email, let alone by way of other electronic means. The threat poses serious risks that have the capacity to cost companies huge sums in law suits, regulatory penalties, lost business, intellectual property infringement and unquantifiable damage to the most valuable of assets - reputation. Therefore, the key challenge for in-house counsel and privacy executives is to understand and manage this risk without disrupting the critical flow of information on which the business depends.
Cure The Problem - Five Critical Steps
In today's global business environment, information security is an ongoing challenge that requires action, measurement and periodic re-evaluation. Only through commitment and focus can organizations hope to manage the risk associated with business documents and other content leaving the organization.
Four Types Of Information Leaks
-
Visible information contained in documents and messages
-
Hidden information in documents and messages
-
Entire documents that must be restricted
-
Format transformation artifacts
Examples of all these types of information leaks are abundant in the media, and have resulted in international political crisis, regulatory penalties, shareholder lawsuits, lost business and damage to reputation.
Managing the risks associated with the exchange of information requires a combination of policy and enforcement. Workshare has developed a systematic approach, based on best practices, to help organizations through the process of developing policy and implementing enforcement. The methodology involves 5 steps as follows:
Step 1: Education
The first step involves understanding the three key areas of information security risk: security, compliance and accuracy. In order to accurately assess their exposure organizations must first understand the types of risk associated with the exchange of business information. Workshare has identified 3 critical areas of risk: security, compliance and accuracy. Security is defined as the risk that inappropriate information accidentally or maliciously leaves the organization. Compliance is defined as the risk that information exchange policies are not adequately defined, controlled and/or auditable. Accuracy is defined as the risk that documents and other information leave the organization containing incorrect information.
Step 2: Assessment
In the second step, you evaluate the level of risk in the organization associated with key business processes. In this phase of the process an assessment is performed. The assessment evaluates the risk as defined in step one, the existing policies and processes used to manage these risks - or the lack thereof - and user awareness of the risks described.
Step 3: Policy Development
In Step 3, you develop ways to classify risk and appropriate mitigation strategies and policies. Many organizations have developed and implemented information risk classifications. Typically, they are structured as follows:
Highly Confidential: Information in which unauthorized disclosure will cause a company severe financial, legal or reputation damage. Examples include financial transactions, customer contracts, business and negotiation strategies, consumer privacy information and intellectual property such as trade secrets.
Confidential: Information in which unauthorized disclosure exposes an organization to financial, legal or reputation risk. Examples include employee personnel and payroll files and intellectual property such as customer and distributor lists.
Internal Use Only : Information that, because of its personal, technical, or business sensitivity is restricted for use within the company and its close advisors.
Unrestricted: Information that in general can be shared, but must still be monitored and managed to mitigate information security risk.
Step 4: Policy Implementation
Step 4 calls for implementing the education, systems, technologies, and process changes necessary to enforce the policies defined in Step 3. Compliance officers and security or legal teams must now find ways to ensure that policy is enforced. This involves implementing a number of changes across the organization:
-
Educational Changes
-
Process Changes
-
Technical Changes
Step 5: Compliance Auditing
Step 5 requires that you put in place ongoing and regular auditing of compliance levels and gaps between actual and targeted results.
Organizations must put in place mechanisms to both monitor and audit the enforcement, appropriateness and effectiveness of their information security safeguards. Regular audits of compliance levels across the three critical areas of risk, security, accuracy and compliance should be conducted. This could involve reviewing 'sample' sets of documents or emails at random or analysis that is more empirical in order to track how many Microsoft Office documents left the company perimeter containing hidden data or a visible content violation over a certain period.
Conclusion
The 5-step approach is not intended to be a comprehensive answer to information security concerns, but rather a series of best practices, highlighting the key areas to consider: understanding the areas of information security vulnerability, assessing the scope of the risk within the organization, developing risk mitigation policies and implementing them, and finally, carrying out regular audits to ensure policy compliance.
Information security is an ongoing issue that requires action, measurement and periodic re-evaluation. Only through commitment and vigilance, can organizations manage the risk associated with business information and mitigate it.
Published September 1, 2006.
