No time to lose

Data loss is an oft overlooked issue that needs to be tackled immediately, says Michael Osterman.

“There are a large number of data sources and communications tools that organizations must monitor closely in order to protect corporate data from accidental or unauthorized distribution”
-Michael Osterman of Osterman Research

Consider the facts. According to a 2008 Osterman Research survey, 100 percent of organizations have deployed anti-virus capabilities, 99 percent have deployed anti-spam capabilities and 96 percent have deployed anti-spyware capabilities.

However, even using a fairly broad interpretation of data loss prevention (DLP) capabilities, which would include products that do not provide true DLP functionality, only 49 percent of organizations have deployed these capabilities. Any organization should deploy DLP capabilities, but none more so than the financial services industry.

Clearly, this data suggests that organizations of all sizes are well aware of the need to monitor their inbound communications for spam and malware. However, they are not nearly as aware of the need to monitor outbound communications, or they are not taking the threat as seriously as they should. This, despite the fact that 27 percent of organizations in the same survey reported that during the previous 12 months data or information was accidentally or malicously leaked from their organization.

Given the tight regulation of the financial services industry relative to most others, coupled with the increased level of oversight and compliance that will be required of firms in the financial services space in 2009 and beyond, DLP is not simply an option – it is a business requirement.

Knowing the risks
One of the key reasons that organizations have not yet deployed DLP systems is that many decision makers are simply not aware of the potential risks they face, nor might they be aware of the data breach examples in their own industries. For example:

• Employees will often accidentally send confidential data in an email – such as credit card numbers, Social Security numbers or other confidential information – without realizing that the data needs to be encrypted during transmission.
• There are many cases in which confidential data, unbeknownst to the sender, is buried in an email thread that is forwarded to others.
• Email is sometimes sent email to the wrong person, often resulting in the leak of confidential information.
• Some employees will send confidential data via personal Webmail accounts to others or to themselves to avoid file size limitations on attachments or so that they can work on documents at home.
• Web 2.0 applications represent a significant potential for data loss. For example, MySpace, Facebook and other social networking sites have been on the receiving end of healthcare-related data. Hidden malware installed on endpoints has harvested personal information like credit card numbers and quietly uploaded this content via HTTP/HTTPS.

Serious breaches
Data breaches are becoming more numerous and more serious. For example, the Privacy Rights Clearinghouse has tracked data breaches since early 2005 and has recorded many examples in which data breaches were caused by emails sent mistakenly; cases in which laptops, CD-ROMs and backup tapes with confidential data were lost or stolen; employees discarding printed content in dumpsters or at the curb for trash pickup; and many other instances in which sensitive data was compromised.

There are many risks that organizations know about and often do not address, such as employees who use corporate email systems in violation of stated policies or who use personal webmail accounts to send company data home – a 2007 Osterman Research survey found that 47 percent of organization allow employees to use personal webmail for business purposes. There are also a variety of unknown risks, such as keystroke loggers that can infect corporate computers and distribute confidential data to hackers and others.

It is also important to distinguish between authorized and unauthorized data breaches. For example, an employee who is authorized to place information on a company website or a corporate wiki can mistakenly post confidential information. By contrast, a terminated employee who is no longer authorized to send email can still use the system to send trade secrets to competitors or others until their access credentials are removed. Whether inadvertent or intentional, the damage caused by such breaches can be enormous.

There are many tools and systems from which confidential or sensitive information can be sent in violation of corporate policy, including corporate email systems, employees’ home computers, consumer and enterprise instant messaging systems, personal Webmail accounts used at work, thumbdrives and other portable storage devices, social networking tools, other Web 2.0 applications, including wikis and blogs, file transfer protocol (FTP) tools, chat tools, skype and other consumer-oriented VoIP tools, peer-to-peer file-sharing tools and message boards and forums.

As a result, there are a large number of data sources and communications tools that organizations must monitor closely in order to protect corporate data from accidental or unauthorized distribution, although email and instant message are clearly the most important channels to monitor given their pervasive and much more frequent use by employees than most other tools.

Potential problems
Data breaches can be very expensive: for example, an Osterman Research survey found that if a data breach were to occur in which disclosure of the breach would have to be made to customers and other external contacts, nearly two-thirds of organizations estimated that a single such breach would cost their organization at least $100,000, not to mention other operational costs, damage to their brand and other problems.

Organizations that do not properly address DLP can suffer a variety of problems, including:

•    Loss of intellectual property
•    Loss of reputation
•    Harmful legal judgments
•    Compromise of corporate security
•    Violation of statutes and compliance requirements

California’s SB1386 (the Database Security Breach Notification Act) is a far reaching law that requires any holder of personal information about a California resident to notify each resident whose information may have been compromised in some way. This requirement makes it important to retain and transmit records in an encrypted form, since doing so exempts an organization from the reporting requirement in the event of a breach.

Since California passed its groundbreaking data breach notification law, most other US states have passed similar laws. For example, Nevada put into effect a law (NRS 597.970) on October 1, 2008 that that requires protection of confidential information. Massachusetts has passed a similar, but more restrictive law that went into effect on January 1, 2009.

Osterman Research believes that most organizations are waking up to the fact that they need to implement DLP capabilities. For example, a survey that Osterman Research conducted in 2008 found that 53 percent of mid-sized and large organizations in North America will very likely or definitely invest in DLP capabilities through the first quarter of 2009. Further, the same survey found that 68 percent of organizations plan to have some of DLP capability in place by the end of 2009.

Michael Osterman is President of Osterman Research, a leading analyst firm in the messaging and collaboration space.

What can be done?

There are a number of steps that organizations should undertake as they attempt to prevent data leaks in their organizations:

The first step that decision makers may want to take to solve the data breach problem is to audit the current state of electronic communication and file management in the organization. Doing so will reveal the extent of the risks that an organization faces and will help to make real the problem to IT management, as well as senior line-of-business decision makers. In many cases, this will help an organization to realize that the risks and problems it faces are not merely a potential, theoretical problem, but are instead a real and present business danger that it must address. While this is not always a necessary step given the abundance of evidence that exists for the data breach problem, it may be required by some organizations in order to convince senior managers of the extent of their own organization’s problems.

After the audit has been completed and digested by senior managers, an organization should establish very detailed and thorough corporate policies that focus on all of the issues related to the use of electronic communication and file management capabilities.

Develop country-specific requirements, since organizations must understand any regulations that govern monitoring polices, particularly in countries that place restrictuions on how monitoring practices may be carried out.

The next step is to deploy the technologies that will enforce the corporate policies that have been established. While policies are necessary to establish what an organization needs to protect, they will be ineffective at solving all of the data breach problems an organization might experience.