While organizations scramble to protect themselves against the next
big TJX-style data breach, they’re overlooking another risk:
social networking. Nearly every organization has an in-house
blogger – officially or not.
It doesn’t have to be a Mini-Microsoft – an insider blog
often critical of the Microsoft – to pose problems. An
enthusiastic employee who’s not well-versed on corporate
policy, a developer on public message boards, or even a personal
blog where the employee occasionally discusses work all pose
risks.
A recent survey by Forrester Consulting looked at this and other
content-security problems. The survey was commissioned by Proofpoint, a
provider of email security and data-leak-prevention solutions.
The July 2007 survey gathered 308 responses from U.S. companies
with 1,000 or more employees. Forrester found that more twenty
percent of those surveyed had investigated “the exposure of
confidential, sensitive or private information via a blog or
message board posting in the past 12 months.”
“Security and IT professionals are just starting to wake
up to blogs and message boards,” said Keith Crosley,
Proofpoint’s director of market development. “The main
concern is still outbound email, but these other forms of messaging
and networking can’t be overlooked.”
Careless Employees Can Be as Dangerous as Malicious
Ones
Usually, the intentions of employees aren’t malicious,
just careless. AOL’s data leak of last summer provides a case in
point. AOL posted information relating to search queries on its now
defunct research site, violating the privacy of 658,000
subscribers. While AOL tried to protect users’ identities,
replacing user names with numbers, it was relatively easy to figure
out who a large number of these people were because they often
searched for themselves, their family and friends, and things in
their neighborhoods.
AOL certainly wasn’t malicious, just incredibly careless.
AOL figured that this information would be useful to researchers,
and they certainly didn’t intend to violate customers’
privacy. They just didn’t think things through, leading to a
huge scandal, plenty of public humiliation, the loss of a number of
customers, lawsuits, and the firing of three employees, including its CTO.
According to G. Oliver Young, an analyst with Forrester
Research, the time to start worrying about content control is even
before an employee enters the company. “If job candidates
have questionable content on their MySpace or Facebook pages, it
should raise flags,” he said. It’s common now for
employers to check those sites before a person is even offered an
interview.
According to Proofpoint’s Crosley, the scope of the
problem is much larger than most people realize. “For every
high-profile data-leak event, there are probably hundreds of
smaller ones,” he said. These aren’t publicized.
They’re handled internally, and the result is often a
termination.
“When H.R. starts looking at an employee’s online
behavior, it’s serious,” Crosley said. In the past,
employees worried about organizations nitpicking about their
browsing habits. After all, as work bleeds into the personal lives
of knowledge workers, many argue that it’s perfectly
reasonable to do some personal business during work hours.
Similarly, the stress of knowledge jobs makes it equally acceptable
to take a ten minute break where you check, say, sports scores.
What Proofpoint has found is the vast majority of employers
don’t worry about time wasting. “If H.R. is monitoring
an employee’s online behavior, it’s almost always
related to data leakage or the theft of confidential information
– not time wasting. The productivity concern is a much
lower-tier issue. It won’t cost you millions of dollars in
shareholder value.”
Data leaks and data theft don’t necessarily involve online
behavior, though. When the VA had its big data-leak scandal, it was
due to a single IT employee losing a laptop. The probability of
similar events occurring rises proportionally to the lowering costs
associated with portable storage.
With multi-GB USB drives on the market now – at low price
points – VA-sized risks occur each night as your employees
leave the building with GBs of information in their pockets.
“External storage and peripherals need to be managed just
as carefully as sensitive applications,” said Philippe
Honigman COO and president of the U.S. operations for SkyRecon
Systems SkyRecon
Systems. “Most USB drives are delivered without built-in
authentication or encryption, and the majority of organizations are
simply ignoring the risks associated with these devices.”
Preventing Data Leaks Requires a Blend of Policy, Training
and Technology
The data-leak problem is large and complex enough to paralyze
even savvy IT professionals. However, tools are coming to market
that can help.
According to experts, the first step is to develop policies and
train employees. “One of the things we tell our clients is
that if you don’t have policies in place for blogs, wikis,
social networks and the like, then you’re leaving yourself at
risk,” Young said. He added that it’s very natural for
people to talk about work, and that talk often bleeds into blogs.
It’s no different from the corner bar or the church
social.
“The problem is the Internet is so public,” he said.
“I can spend a little time doing research online and get a
very good sense of what’s going on inside major
corporations.”
Typically, the policy-and-training mantra is a band-aid. IT
security vendors use this cliche to plug the holes their
technologies can’t. After all, any security posture that
relies on end-user behavior is a risky one.
However, since data leaks can so easily spill into the legal
arena, especially when it falls into the IP-theft category, the
policy-training approach has quantifiable merit in this case.
Organizations that place value on their data will be able to seek
larger damages when that data is compromised. They will be able to
fire careless employees with cause if those employees make public
things they shouldn’t. Clear policies and regular training
undermine the “I didn’t know” defense when
someone is taken to task for leaking sensitive information.
That said, policies and training can only go so far. Technology
is necessary, but many of the tools that help stem the data-leak
problem aren’t even security tools.
According to Young, the risks associated with social networking
and messaging applications often point to other internal problems.
“Often it’s just an employee trying to solve a
problem,” he said. “If the enterprise solves the
problem, then the risk goes away.”
Crosley added that organizations often calculate risks
improperly, being overly conservative when it comes to
communications tools. They focus on the wrong things and
don’t accurately estimate the real costs associated with
adopting versus ignoring a technology. Does a spike in productivity
and efficiency offset the deployment cost? Does internal control
offset the risk of having employees bring in technologies through
the backdoor?
“If employees are desperate for good web-based email, give
it to them. Don’t make them resort to Gmail,” he
said.
Beyond tools like web-based email, VPNs, and secure wireless
networking, Young pointed to email security and content-monitoring
as the next line of defense against data leaks. “In certain
industries, especially financial, it’s a must,” he
said.
Crosley suggested that companies who haven’t developed
policies or are unfamiliar with new security technologies should
bring vendors into the mix. Of course, you’d expect a vendor
rep to say this, but he makes a good point: “Until you know
the dimensions involved with your particular enterprise, it’s
hard to develop policy. Most vendors will conduct an audit first,
and that’s the logical starting point.”
For those further along with their security policies and
strategies, they can start evaluating data-leak-prevention
solutions. Startups are leading this space, with Proofpoint, Provilla, Clearswift, and
PortAuthority (acquired by Websense in January 2007) all
fitting the bill.
Article courtesy of Datamation
