Miss the boat on the next wave in information security and you’re likely
to sink the corporate ship.
Reducing the business risk that results when data leaves the enterprise
network should be on the radar screen of every administrator, according
to industry watchers.
”Information security, or the lack thereof, affects the reputation,
reliability and trustworthiness of every company. And, once you lose it,
you lose it forever,” says Larry Ponemon, founder of the Ponemon
Institute, a think tank that studies privacy data protection and
information security policy.
Industry participants predict that increasing numbers of companies will
be poised to address data leakage in 2005, followed by product
implementations through 2007. Why? Because the problem is growing
exponentially and no one wants to be tomorrow’s headline news because of
it.
The time is now
To grasp the scope of a problem, a recent study by the Ponemon Institute
looked at 163 Fortune 1,000 companies. The study revealed that 75 percent
of them reported a security breach in the prior 12 months. The leaks may
have involved personal information about customers, personal information
about employees, involved confidential business information, and
intellectual property, including software source code.
”What we’re seeing is that many companies have poor access controls over
who gets data and no way of controlling the outflow of data,” says
Ponemon.
According to Gartner Inc., more than 80 percent of high-cost security
incidents occur when data from inside the organization gets out. Most
data leakage occurs by accident or because of poor business processes,
says Rich Mogull, a research director at Gartner. Whether accidental or
malicious, security breaches from inside the company aren’t addressed by
the bulk of security dollars spent on technology that addresses the
perimeter of the network.
While the problem of information exiting the company has always been
around, the depth and breadth of the problem has changed dramatically in
the past few years.
First off, information is more valuable and there’s more of it in
electronic form. For instance, there is more electronic communication,
such as email, and instant messaging. More people work remotely. Hackers
are evolving into professional criminals, and outsourcing is reaching a
fevered pitch.
Up until recently, most corporate security policy focused on keeping the
bad guys out. But now, says Jim Nisbet, chief technology officer at
Tablus Inc., ”The danger in what leaves the organization exceeds the
damage of what comes in.”
It’s the law
What’s really turned up the heat on stopping data leakage is a relatively
new patchwork of laws that make businesses liable for privacy and data
protection, and governance: California SB 1386 and A.D.1950,
Gramm-Leach-Bliley, Health Insurance Portability and Accountability Act
(HIPAA), The Patriot Act, and Sarbanes Oxley Act (SOX), to name several.
The DeKalb Medical Center is a Decatur, Ga.-based hospital with multiple
facilities and a variety of network traffic that includes standard
business data, and local and Internet communications, as well as private
patient health information. Up until January 2004, it had no network
monitoring tools to prevent data leakage.
”Being a hospital, HIPAA put the issue on the forefront,” says Sharon
Finney, information security administrator at DeKalb, adding that with
regulation in place, noncompliance becomes actionable and public. The
deadline for HIPAA compliance is April, 2005. The hospital began
addressing HIPAA requirements three years ago.
With a clear-cut path for what it needed to do, the hospital conducted a
risk analysis, identified problem areas, established policies and
searched for a technology solution. ”We knew from the start, that we
needed a tool that could identify protected health care information out
of the box,” says Finney.
With only three monitoring products available, at the time, only Vericept
Corp. was able to meet the medical center’s turnkey requirements. DeKalb
uses the vendor’s Healthcare Compliance Solution, and Filter for HIPAA.
Not only are business being forced to comply with compliance regulations
or risk paying fines, they’re also aware of the cost of damage to the
company’s reputation. ”For DeKalb, or any organization that handles
confidential information, the damage to our reputation could be
staggering,” says Finney.
In addition to implementing a security solution to prevent data from
leaving the organization and establishing policy, education was key to a
successful outcome. DeKalb’s user population includes employees, vendors,
contractors, temporary workers, and off-site physicians and their staff.
”We had to bring users to a level where everyone was reading off of the
same page when it came to security policy and procedures,” she says.
DeKalb is currently upping the ante on data security, and is looking at
implementing a second layer of protection via an email encryption tool.
Sorting through solutions
While some tools, such as encryption or PKI, have been available for a
number of years, they tended to be difficult to manage.
”Most companies opted to focus on higher priority projects and wrote off
the cost of data loss as part of doing business,” says Paul Proctor,
vice president of security and risk strategies at Meta Group.
Currently, there are more than a dozen vendors offering solutions that
address data leakage. A fractured market, products use a variety of
techniques to identify whether data should be stopped or let through the
network. Some content monitoring and filtering solutions are application
specific, or, for example, watch email traffic, IM, or FTP. Other
products are more general and work below the application layer and look
at multiple channels.
An early Reconnex Inc,.customer, Extreme Networks, a worldwide vendor of
network infrastructure solutions, is concerned about insider threats or
the loss of high-value intellectual property.
”Depending on the size of the company and the data lost, the
ramifications can be crippling,” says Paul Hooper, CIO at Extreme. For
the high-tech company, the Reconnex inSight platform for data protection
security is viewed as an insurance policy.
In addition to help meeting regulatory compliance requirements, security
solutions that help companies protect data from leaving the corporate
network, also can help protect brand loss and a company’s competitive
stance in the market.
Like most security solutions, this next layer of security protection is
not going to help companies make money. ”What we’re selling is risk
reduction,” says Joseph Ansanelli, CEO and cofounder of Vontu Inc. He
says it’s also about saving money by preventing future events.
According to Gartner’s Mogull, limited product deployments begin at
between $20,000-$50,000 and can immediately cut down on data leakage.
”Limited product deployments may not protect everything, but if a
company has data stores that are more important than others, begin
there,” he says. Mogull suggests that companies start with small
implementations and grow from there, prioritizing where it’s important to
spend money.
Industry participants are quick to point out that preventing data leakage
is not about technology alone — it’s about people, processes and
technology. ”Companies must have a written policy and there must be
consequences for not adhering to that policy,” says Ponemon.