Security Breaches: Ineptitude Goes a Long Way - Page 2

 By Jeff Vance
Page 2 of 2   |  Back to Page 1
Print Article

Preventing Data Leaks Requires a Blend of Policy, Training and Technology

The data-leak problem is large and complex enough to paralyze even savvy IT professionals. However, tools are coming to market that can help.

According to experts, the first step is to develop policies and train employees. "One of the things we tell our clients is that if you don't have policies in place for blogs, wikis, social networks and the like, then you're leaving yourself at risk," Young said. He added that it's very natural for people to talk about work, and that talk often bleeds into blogs. It's no different from the corner bar or the church social.

"The problem is the Internet is so public," he said. "I can spend a little time doing research online and get a very good sense of what's going on inside major corporations."

Typically, the policy-and-training mantra is a band-aid. IT security vendors use this cliche to plug the holes their technologies can't. After all, any security posture that relies on end-user behavior is a risky one.

However, since data leaks can so easily spill into the legal arena, especially when it falls into the IP-theft category, the policy-training approach has quantifiable merit in this case. Organizations that place value on their data will be able to seek larger damages when that data is compromised. They will be able to fire careless employees with cause if those employees make public things they shouldn't. Clear policies and regular training undermine the "I didn't know" defense when someone is taken to task for leaking sensitive information.

That said, policies and training can only go so far. Technology is necessary, but many of the tools that help stem the data-leak problem aren't even security tools.

According to Young, the risks associated with social networking and messaging applications often point to other internal problems. "Often it's just an employee trying to solve a problem," he said. "If the enterprise solves the problem, then the risk goes away."

Crosley added that organizations often calculate risks improperly, being overly conservative when it comes to communications tools. They focus on the wrong things and don't accurately estimate the real costs associated with adopting versus ignoring a technology. Does a spike in productivity and efficiency offset the deployment cost? Does internal control offset the risk of having employees bring in technologies through the backdoor?

"If employees are desperate for good web-based email, give it to them. Don't make them resort to Gmail," he said.

Beyond tools like web-based email, VPNs, and secure wireless networking, Young pointed to email security and content-monitoring as the next line of defense against data leaks. "In certain industries, especially financial, it's a must," he said.

Crosley suggested that companies who haven't developed policies or are unfamiliar with new security technologies should bring vendors into the mix. Of course, you'd expect a vendor rep to say this, but he makes a good point: "Until you know the dimensions involved with your particular enterprise, it's hard to develop policy. Most vendors will conduct an audit first, and that's the logical starting point."

For those further along with their security policies and strategies, they can start evaluating data-leak-prevention solutions. Startups are leading this space, with Proofpoint, Provilla, Clearswift, and PortAuthority (acquired by Websense in January 2007) all fitting the bill.

Article courtesy of Datamation

This article was originally published on Sep 8, 2007
Get the Latest Scoop with Networking Update Newsletter