Data breaches happen all the time in industries ranging from retail to government. Protecting data is a key concern for CIOs, but there are a lot of misconceptions about data protection. Here we'll debunk some of the myths and explain best practices for protecting data without impeding daily business operations.
Myth No. 1 Information leak prevention is the security administrator's problem. Securing companies from external threats such as viruses has long been in the security administrator's realm, but securing the company from information leaks requires a much broader view. Today, the challenge of protecting sensitive data spans business units-from IT to the legal department to the boardroom. Every day, CIOs face the challenge of putting the necessary technologies and processes in place to protect confidential data and comply with federal regulations, but they have to accomplish this without impeding daily business operations.
Myth No. 2 If I block instant messaging, Web-based e-mail and external storage devices, I don't need to worry about information leaks. Controlling instant messaging, Web e-mail and external storage devices may increase basic data security; however in today's connected world, putting tight restrictions on information flow can hinder business process and ultimately constrain company growth. Effective leak prevention requires the ability to keep information inside the company's walls without disrupting its legitimate use for normal business operations. Information management requires a balanced approach. Best practices include building leak prevention policies around things like instant messaging and Web usage, as well as using a growing number of technologies such as endpoint security and encryption technology to enable employees to leverage external storage devices safely.
Myth No. 3 I know where my data resides. Most companies don't have a good handle on where their data lives, whether on file servers or company laptops. Understanding who has access to data and where it flows inside and outside the network is crucial to managing information. In addition to identifying sensitive information, CIOs must understand other areas of exposure, such as unsecured endpoints and whether Internet use policies for common data loss vectors (like instant messaging and Web surfing) exist and are being enforced.
Myth No. 4 I should be most concerned about protecting my data from data theft and malicious internal leaks. Malicious data leakage and theft is certainly important to address; however most leaks are not intentional. Mistakes, deviations from existing business or IT processes, and the negligence of employees and contractors can result in leaks. In fact, according to Forrester Research, more than 70 percent of all leaks are accidental. With e-mail auto-fill for the intended recipient on nearly every computer, it is easy to see how e-mails accidentally get sent outside the corporation. When developing an effective information leak prevention strategy, you must focus on accidental data loss to address the majority of the day-to-day risk.
Myth No. 5 Information leak prevention technology is complicated and expensive; it's not worth it to install. Every organization is different and the potential cost of a leak varies. However, much research has been done, analyzing the experiences of such victims as TJX, which recently set aside US$118 million to address its breach. Forrester Research quantifies the cost of losing customer information between $90 and $305 per record, depending on the type of information lost and the business. However, customer information represents only a portion of what most of us see leaked daily. Confidential information, such as M&A plans, earning reports and intellectual property can have a far greater impact on the business if leaked. It's up to each company to conduct a risk management assessment to quantify the expected cost of a breach. From there, companies can determine whether implementing information controls such as information leak prevention technology are justified-in most cases they find that it is.
Myth No. 6 My employees understand what they can and can't send out of the company. Most employees don't intentionally leak information and, given the right training and education combined with information leak prevention technology, the risk of data leaks diminishes significantly. However, the majority of employees don't know their company's policies. Employees often don't understand why sending work home through Web mail is risky or why password protection is important. In an increasingly mobile work environment, employee training is even more important.
Best practices for employee education begin with communication. Employees should be given training during their new hire orientation, followed up with annual refresher courses that teach them what information can be accessed and how it can be used. The second step is to use technology to provide continued education and policy reinforcement in an automated capacity. For example, with an information leak prevention solution, managers can have an automated message sent to employees who have violated a policy. The message lets them know why the communication was in violation of a policy and encourages them to act differently in the future.
Myth No. 7 Information leak prevention technology will hinder my business operations. Contrary to what many CIOs think when they hear the words "information leak prevention," the right solution can actually improve business processes. If you implement a product that has the context of what the data is, who is sending it and its intended destination, information owners can be notified when a violation is triggered, without IT's involvement, reducing administrative overhead while reinforcing the principle that the problem of information leakage can and must be addressed within the business units themselves.
Myth No. 8 If I deploy information leak prevention technology I will be overrun with false positives. The ability to discern between real leaks and business as usual is crucial to maintaining the balance of security and operational effectiveness. Certainly some information leak prevention solutions have a high rate of false positives (and negatives). To avoid the high and costly rate of false positives and negatives, look for a solution that has accurate detection capabilities for both structured and unstructured data. Make sure it has a granular set of policy controls and mature enforcement capabilities to ensure you can set and enforce policies around the user, the data, the destination, corporate governance and regulatory compliance.
Myth No. 9 Only regulated industries need information leak prevention technology. Consumer data is not the only information companies need to worry about. Every organization has intellectual property that is critical to protect. If an entertainment company lost an important script or a clothing company leaked next year's designs, the loss could be staggering to the business.
Myth No. 10 Information leak prevention technology will solve all my data leakage problems. Information leak prevention technology provides a method for discovering where sensitive data resides and then preventing that data from leaving the organization via common communication methods like e-mail and instant messaging. However, the technology must be used in concert with employee education and can be used with technologies such as document rights management, encryption, endpoint security and, of course, physical security measures. The goal of information leak prevention is to vastly reduce the risk of data leaks and to provide a way for companies to track and respond to critical violations quickly.
Jim Haskin is the chief information officer for Websense. He is responsible for all aspects of Websense's IT direction and execution, including operations, infrastructure, applications and internal customer support functions.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.