Leading the Way is a column written by PricewaterhouseCoopers professional staff. It appears in the Business section of the Bangkok Post twice each month. The column provides specialised advice to corporate decision-makers in Thailand on global and local business trends.
This article appeared in the December 4, 2007 issue of the Bangkok Post.
By Vilaiporn Taweelappontong
Imagine this scenario: One of your clients entrusts you with confidential details relating to an upcoming merger. You inform one of your colleagues about the details of the merger via an email on an unsecured network. Within days, news of the merger, along with the specific details that were entrusted to you, are leaked on the Internet. The client points the finger at you for the leak, and publicly announces that they will no longer do business with your organisation. While your email may or may not have been the source of the leak, you can't prove it either way, and thus your reputation takes a significant blow. Could this have been avoided?
According to the 2007 results of a global information security survey by CIO magazine and PricewaterhouseCoopers, this year marks the first time "employees" beat out "hackers" as the most likely source of a security incident. In fact, employees and former employees accounted for 69% of security breaches in 2007, up from 51% in 2006.
Confidential information leaks can cause significant financial losses, ruin reputations, and increase the possibility of stolen identities. Examples of high-risk data include customer information (i.e. names, customer IDs, passwords, credit card numbers, and credit limits), bank account information, credit card numbers, employee data, corporate data (i.e. pre-launched financial information and business strategy), and intellectual property (i.e. source codes and patent applications).
There are three main channels of information leakage within an organisation. The first, "data at rest", refers to sensitive content that resides within stationary repositories such as word documents, spreadsheets, power point presentations, desktops, and databases. According to our survey, 69% of respondents do not keep an accurate inventory of user data, and 67% do not keep an accurate inventory of where data is stored. In this case, theft of storage hardware and intellectual property can often go unnoticed.
The second channel, "data in motion", was illustrated in the scenario at the beginning of this article. This refers to sensitive information that is electronically sent both within and outside an organisation's network (i.e. e-mails, instant messages, and file transfers). Loss of confidential data through this channel occurs frequently, and is often times not traceable.
The third channel is "data at endpoint", which refers to sensitive information stored on laptops and portable storage devices (i.e. USB drives, CDs, DVDs, and iPods). Use of these devices can result in offline transfers of confidential data.
To prevent data leakage, organisations should develop an effective enterprise-wide data protection framework that includes the three key data protection fundamentals: people, process and technology.
People are both perpetrators and protectors. People are the root cause of data leakage. Leaks can occur unknowingly by undisciplined employees, or on purpose by employees with malicious intent. Organisations need to develop clear roles and responsibilities for safeguarding the information. In 2007, 28% of respondents stated that they had a chief security officer in their organisation, and a further 13% stated that creating this position would be a priority for 2008.
Specialised information protection training relevant to each employee's responsibilities needs to be consistently delivered across the organisation. Leak channels should be clearly communicated so employees understand the risks generated from each channel.
Clear, consistent processes must be communicated. A process should be developed so that all information in an organisation is classified, and handling procedures should be clearly communicated to employees. For example, an organisation's confidential data should not be transferred via instant messaging or unencrypted email. According to our survey, 57% of organisations had an overall security strategy in 2007, up from 37% in 2006.
Technology as a tool to prevention. A data loss prevention infrastructure needs to be implemented to protect confidential data while it's "at rest", "in motion" and "at endpoints". The infrastructure can employ technological tools such as firewalls, encryption, user security and data backup. The techniques these tools use vary, but they typically involve pattern or signature detection.
When properly tuned, these tools can greatly reduce the risks associated with data loss by either limiting the time the information is exposed or preventing the exposure before it happens (i.e. blocking the transfer of a sensitive document to USB as opposed to blocking the use of USB devices entirely). The tools also provide audit ability by recording who exposed the information and what was exposed.
These tools, however, are not a simple plug and play solution. Comprehensive rule sets need to be developed and configured, business processes must be put into place and the systems need to be tuned. When used as a component in a comprehensive content monitoring programme, these tools have been proven to be quite effective.
In Thailand, concerns over data leakage are increasing. Leakage through endpoint devices seems to be the primary concern for management. We have seen many organisations take steps to protect their assets by investing in device control and encryption technologies. Some organisations have started to look for technologies to protect data at rest and data in motion. With the right employee security strategy, processes implemented, and technologies in place, organisations may be able to steer clear of the scenario outlined at the beginning of this article.The 2007 Global State of Information Security report is available to download at www.pwc.com.
