|
After years of battling intrusions, viruses, and spam, organizations now find themselves wrestling with another growing security issue: data leakage – the intentional or accidental exposure of information ranging from legally protected personal information to intellectual property and trade secrets. Today’s data security breaches do not just come from internet hacking attacks, but encompass the wider IT environment, involving lost or stolen laptops, USB keys and other devices, email, and Web 2.0 applications, such as IM.
In a recent survey by analyst IDC, the inadvertent exposure of company confidential information was cited as the number one threat, above viruses, Trojans, and worms. The most common type of information leaked was intellectual property and 81 percent of respondents saw information protection and control (IPC) – defined as monitoring, encrypting, filtering, and blocking sensitive information contained in data at rest, data in motion, and data in use – as an important part of their overall data protection strategy. The highest priority IPC solution was data leakage prevention (DLP) deployed at the organization’s perimeter and on endpoint computers. A Ponemon Institute study similarly found that data loss prevention and encryption solutions topped the list of most-frequently named technology measures deployed post-breach to help avert a future breach.
There are several reasons for the movement of data leakage prevention to the forefront of enterprise security.
High-profile, reputation-damaging data leaks Bad publicity from data leakage can result in damaged reputation, lost customers, and sometimes even ruin for companies that fall victim to them.
The number of well-publicized examples of data security breaches is growing significantly. Recent high-profile incidents have included: Hackers stole 4.2 million credit and debit card numbers from Hannaford Bros, a US supermarket chain which has 165 grocery stores in the New England area. (Dec 2007 – Mar 2008)
Secret government documents on al Qaeda and Iraq were left on a commuter train in the UK. (Jun 2008)
Her Majesty’s Revenue and Customs (HMRC) in the UK lost personal data – including dates of birth, National Insurance numbers and bank details – on 25 million people when two CDs disappeared in the internal mail. (Nov 2007)5 An email containing names, positions, salaries, and social security numbers of 192 faculty and staff members was accidentally sent to Ohio State University Agricultural Technical Institute students. (May 2008)
Governments worldwide have introduced increasingly stringent data protection legislation, such as the US’s Sarbanes-Oxley Act, HIPAA, and Gramm-Leach-Bliley Act, and the UK’s Data Protection Act, to provide suitable controls over sensitive company information. Organizations found to be in breach of the legislation can be fined and forced to put solutions in place to prevent a recurrence. The California Senate Bill 1386, introduced in 2003, was the first to require that organizations notify all affected individuals if their confidential or personal data has been lost, stolen, or compromised. This public disclosure is now required by 35 states. Many regulations also require regular audits, which an organization may not pass if the right controls are not in place.
Alongside government legislation sits PCI DSS (Payment Card Industry Data Security Standard). Created by multinational corporations, it is enforced on merchants as a part of their terms of being allowed to accept credit card transactions. Organizations that cannot demonstrate PCIcompliance at an audit are subject to sanction even if no actual data leak has occurred. PCI’s reach across international boundaries and its ability to respond quickly to change makes it as important a security standard as any local or national legislation.
In addition to legal costs, organizations have to deal with the less tangible costs of recovery and commercial fallout, such as lost business, or withdrawal of credit card merchant status. All these costs have been rising steadily.
The dissolving perimeter and Web 2.0 As business has gone online and become vastly more mobile, the 20th century security strategy of protecting the organization’s perimeter with firewalls, intrusion detection, and other similar tools has become insufficient. There are simply too many points of data entry and exit. While blocking the perimeter remains important, protection must focus on controlling access to the information. This need is growing exponentially with the totally different perspective introduced by Web 2.0 users.
This new “employee 2.0” workforce brings a mindset that is highly tuned to sharing information on social networking sites, posting to blogs, and emailing and IMing friends, with little or no regard to whether this is appropriate in a business context.
|
