Why the spread of social networking could lead to a spike in data leaks.
While organizations scramble to protect themselves against the next big TJX-style data breach, theyre overlooking another risk: social networking. Nearly every organization has an in-house blogger officially or not.
It doesnt have to be a Mini-Microsoft an insider blog often critical of the Microsoft to pose problems. An enthusiastic employee whos not well-versed on corporate policy, a developer on public message boards, or even a personal blog where the employee occasionally discusses work all pose risks.
A recent survey by Forrester Consulting looked at this and other content-security problems. The survey was commissioned by Proofpoint, a provider of email security and data-leak-prevention solutions.
The July 2007 survey gathered 308 responses from U.S. companies with 1,000 or more employees. Forrester found that more twenty percent of those surveyed had investigated the exposure of confidential, sensitive or private information via a blog or message board posting in the past 12 months.
Security and IT professionals are just starting to wake up to blogs and message boards, said Keith Crosley, Proofpoints director of market development. The main concern is still outbound email, but these other forms of messaging and networking cant be overlooked.
Careless Employees Can Be as Dangerous as Malicious Ones
Usually, the intentions of employees arent malicious, just careless. AOLs data leak of last summer provides a case in point. AOL posted information relating to search queries on its now defunct research site, violating the privacy of 658,000 subscribers. While AOL tried to protect users identities, replacing user names with numbers, it was relatively easy to figure out who a large number of these people were because they often searched for themselves, their family and friends, and things in their neighborhoods.
AOL certainly wasnt malicious, just incredibly careless. AOL figured that this information would be useful to researchers, and they certainly didnt intend to violate customers privacy. They just didnt think things through, leading to a huge scandal, plenty of public humiliation, the loss of a number of customers, lawsuits, and the firing of three employees, including its CTO.
According to G. Oliver Young, an analyst with Forrester Research, the time to start worrying about content control is even before an employee enters the company. If job candidates have questionable content on their MySpace or Facebook pages, it should raise flags, he said. Its common now for employers to check those sites before a person is even offered an interview.
According to Proofpoints Crosley, the scope of the problem is much larger than most people realize. For every high-profile data-leak event, there are probably hundreds of smaller ones, he said. These arent publicized. Theyre handled internally, and the result is often a termination.
When H.R. starts looking at an employees online behavior, its serious, Crosley said. In the past, employees worried about organizations nitpicking about their browsing habits. After all, as work bleeds into the personal lives of knowledge workers, many argue that its perfectly reasonable to do some personal business during work hours. Similarly, the stress of knowledge jobs makes it equally acceptable to take a ten minute break where you check, say, sports scores.
What Proofpoint has found is the vast majority of employers dont worry about time wasting. If H.R. is monitoring an employees online behavior, its almost always related to data leakage or the theft of confidential information not time wasting. The productivity concern is a much lower-tier issue. It wont cost you millions of dollars in shareholder value.
Data leaks and data theft dont necessarily involve online behavior, though. When the VA had its big data-leak scandal, it was due to a single IT employee losing a laptop. The probability of similar events occurring rises proportionally to the lowering costs associated with portable storage.
With multi-GB USB drives on the market now at low price points VA-sized risks occur each night as your employees leave the building with GBs of information in their pockets.
External storage and peripherals need to be managed just as carefully as sensitive applications, said Philippe Honigman COO and president of the U.S. operations for SkyRecon Systems SkyRecon Systems. Most USB drives are delivered without built-in authentication or encryption, and the majority of organizations are simply ignoring the risks associated with these devices.
Preventing Data Leaks Requires a Blend of Policy, Training and Technology
The data-leak problem is large and complex enough to paralyze even savvy IT professionals. However, tools are coming to market that can help.
According to experts, the first step is to develop policies and train employees. One of the things we tell our clients is that if you dont have policies in place for blogs, wikis, social networks and the like, then youre leaving yourself at risk, Young said. He added that its very natural for people to talk about work, and that talk often bleeds into blogs. Its no different from the corner bar or the church social.
The problem is the Internet is so public, he said. I can spend a little time doing research online and get a very good sense of whats going on inside major corporations.
Typically, the policy-and-training mantra is a band-aid. IT security vendors use this cliché to plug the holes their technologies cant. After all, any security posture that relies on end-user behavior is a risky one.
However, since data leaks can so easily spill into the legal arena, especially when it falls into the IP-theft category, the policy-training approach has quantifiable merit in this case. Organizations that place value on their data will be able to seek larger damages when that data is compromised. They will be able to fire careless employees with cause if those employees make public things they shouldnt. Clear policies and regular training undermine the I didnt know defense when someone is taken to task for leaking sensitive information.
That said, policies and training can only go so far. Technology is necessary, but many of the tools that help stem the data-leak problem arent even security tools.
According to Young, the risks associated with social networking and messaging applications often point to other internal problems. Often its just an employee trying to solve a problem, he said. If the enterprise solves the problem, then the risk goes away.
Crosley added that organizations often calculate risks improperly, being overly conservative when it comes to communications tools. They focus on the wrong things and dont accurately estimate the real costs associated with adopting versus ignoring a technology. Does a spike in productivity and efficiency offset the deployment cost? Does internal control offset the risk of having employees bring in technologies through the backdoor?
If employees are desperate for good web-based email, give it to them. Dont make them resort to Gmail, he said.
Beyond tools like web-based email, VPNs, and secure wireless networking, Young pointed to email security and content-monitoring as the next line of defense against data leaks. In certain industries, especially financial, its a must, he said.
Crosley suggested that companies who havent developed policies or are unfamiliar with new security technologies should bring vendors into the mix. Of course, youd expect a vendor rep to say this, but he makes a good point: Until you know the dimensions involved with your particular enterprise, its hard to develop policy. Most vendors will conduct an audit first, and thats the logical starting point.
For those further along with their security policies and strategies, they can start evaluating data-leak-prevention solutions. Startups are leading this space, with Proofpoint, Provilla, Clearswift, and PortAuthority (acquired by Websense in January 2007) all fitting the bill.