Disaster Waiting to Happen

By Jeff Vance

(Back to article)

The answer, probably, is yes. Hardly a week goes by without a high-profile data leak in the headlines. Home Depot, TJX, the VA, Pfizer, Monster.com, and AOL, to name only a few, have all suffered through the bad PR and legal problems that accompany data loss.

A related problem is intellectual property (IP) theft. The ease with which insiders can access, copy and move sensitive data keeps IT security pros up at night. Stories abound about insiders selling IP, using it to start their own companies or leveraging it for job offers with competitors.

In one instance, the executives of NeoGenesis Pharmaceuticals were so alarmed by the ease with which insiders could compromise IP that they set out to create a security company that would address the problem, Verdasys. An insider was attempting to steal drug formulas to start a new company, and what alerted executives was not any IT security alarm but a suspicious purchase order for CD-ROMs.

This scenario is far from unusual. What is unusual is that NeoGenesis spotted and stopped the theft. Study after study points to the rise of insider attacks. According to the U.S. Commerce Department, IP theft costs U.S. business about $250 billion each year, while also slashing nearly 750,000 jobs from the U.S. economy.

Seemingly innocuous, potentially disastrous

Data leaks and IP theft have various causes, from inadequate authentication to improperly stored data to lost laptops, but there is usually one underlying problem: flawed business processes. A bad business process can open the door to outsiders, tempt insiders or simply aid and abet a hacker or malicious insider.

A “business process” is a nebulous enough concept, but when it comes to identifying faulty ones, where do you even begin? The first thing is to understand how seemingly innocuous these can be.

Steve Roop, VP of product marketing and development for Vontu, a data loss prevention (DLP) vendor, has seen a number of small errors expose organizations to huge risks.

“Examples range from the silly to the malicious,” Roop said, “but even the silly ones can be extremely dangerous.”

Vontu has exposed a number of bad business processes. For example, a large company they work with hires an average of 400 employees per week. Each of those new hires needs business cards. The trouble is that HR has for years been sending copies of spreadsheets to their printer, the same sheets that have employees’ social security numbers, dates of birth, and other information that would put them at risk for identity theft.

“For companies to substantially reduce the risk of information loss, they need to take a risk-based approach to data security,” said William Munroe, VP of marketing for DLP vendor Verdasys.

At the heart of a risk-based approach to security is a rethinking of the most basic of 21st-century business processes: how data is created, stored, altered and moved. In essence, anything that finds its way onto desktop and other endpoints exists in the data equivalent of the Wild West. Most application servers and databases are fairly well protected, but few, if any rules, govern how data on the desktop is manipulated, replicated and stored.

Once data migrates to the desktop, it can be burned onto CD-ROMs, copied onto USB drives or MP3 players, and emailed to anyone, anywhere. Many organizations have woken up to one risk -– email -– but even there security is still more about outsiders (spam and phishing scams) than insider risks.

Next page: Five steps to protect data...

Back to Page 1

If you expand beyond the desktop to other endpoints, the problem intensifies. Think of point-of-sale terminals. The very public, very costly TJX data breach started with POS terminals storing data they shouldn’t have.

5 Steps Every Organizations Should Take to Protect Data
1. Identify the five or six pieces or types of data that would cause serious problems if it left the organizations. Examples include social security numbers, customer credit card numbers, sales records and intellectual property.

2. Figure out where sensitive data is stored within your organization. Older companies will often find that sensitive data is all over the place, even on employee desktops.

3. Once you know where that data is, establish polices for how it is created, stored, accessed, shared and secured.

4. Monitor and enforce data protection policies on email, web mail, IM and other methods of communications.

5. Create and enforce policies for data stored on endpoints and removable storage.

According to the Payment Card Industry Data Security Standard, a standard that specifies how merchants handle credit card data, personal information on magnetic strips should not be gathered and stored. Unfortunately, this sensible privacy/security process often conflicts with marketing and sales processes, which have organizations gathering consumer information wherever and however they can.

In the case of TJX, information that shouldn’t have been gathered was, and it was stored in a poorly protected manner.

“Everyone needs to become much more data aware,” said Carol Baroudi, research director, security technologies for AberdeenGroup. “At the very least, organizations need to ask: Where is data stored? Who has access? How is it protected?”

DLP attracts VC cash

Since it is so easy for organizations to overlook flawed processes, and so easy for data to travel practically anywhere in the typical e-business, DLP vendors like Verdasys and Vontu are trying to automate the discovery and enforcement of business policies as they relate to sensitive data.

At the most basic level, these tools scan information traveling over corporate networks and block so-called “structured data,” things like Social Security or credit card numbers which are easy to spot because of their consistent formats. The more sophisticated of these tools investigate the content of the data itself, attempting to protect less structured information like intellectual property.

The DLP approach to data protection seems to be catching on, with the space attracting a lot of VC money. Recently, it has also seen a string of acquisitions, with DLP startups being gobbled up by established security vendors. RSA acquired Tablus, Websense bought PortAuthority, and just last month Symantec snatched up Vontu.

“The recent series of acquisitions within the DLP market offers strong evidence that DLP is in reality a small part of a much larger and emerging data security market,” Munroe said.

According to Munroe, as global companies seek to increase user productivity, business agility and competitiveness through greater collaboration between employees, partners and outsourcers, they are often brought up short when they start thinking about the risks associated with sharing data freely. Until those risks are addressed, the productivity gains promised by collaboration and “agile” business practices will fail to materialize, with the risks outweighing the possible gains.