According to Young, the risks associated with social networking and messaging applications often point to other internal problems. Often its just an employee trying to solve a problem, he said. If the enterprise solves the problem, then the risk goes away.
Crosley added that organizations often calculate risks improperly, being overly conservative when it comes to communications tools. They focus on the wrong things and dont accurately estimate the real costs associated with adopting versus ignoring a technology. Does a spike in productivity and efficiency offset the deployment cost? Does internal control offset the risk of having employees bring in technologies through the backdoor?
If employees are desperate for good web-based email, give it to them. Dont make them resort to Gmail, he said.
Beyond tools like web-based email, VPNs, and secure wireless networking, Young pointed to email security and content-monitoring as the next line of defense against data leaks. In certain industries, especially financial, its a must, he said.
Crosley suggested that companies who havent developed policies or are unfamiliar with new security technologies should bring vendors into the mix. Of course, youd expect a vendor rep to say this, but he makes a good point: Until you know the dimensions involved with your particular enterprise, its hard to develop policy. Most vendors will conduct an audit first, and thats the logical starting point.
For those further along with their security policies and strategies, they can start evaluating data-leak-prevention solutions. Startups are leading this space, with Proofpoint, Provilla, Clearswift, and PortAuthority (acquired by Websense in January 2007) all fitting the bill.