Most organisations now need an umbilical link to the internet to undertake day-to-day business processes, but dealing with the security threats associated with working online is a cause of great concern for company executives. Senior managers are beginning to recognise that almost all of their sensitive data is stored in electronic format, and that a considerable percentage of it sits within their e-mail systems. The real threat is that this information is totally unsecured, and can be sent from anyone in the company to anyone outside it at any time.
This is a risk to every company's sensitive data, whether it is customer information, sales forecasts, financial results or details of a top secret new product in the early stages of development. And the problem is compounded by ever more sophisticated external attacks such as hacks, spyware and phishing. This is why the implementation of a comprehensive risk management strategy is no longer a luxury - it is essential.
Leaking data - why risk it?
Leakage of confidential data can not only cause irreparable harm to a company's reputation and damage investor confidence, but could also lead to massive fines, or even criminal convictions. Yet it is shockingly easy for employees to accidentally leak confidential information via e-mail.
A recent SurfControl survey of UK businesses found that 74% of businesses acknowledged financial losses from such security breaches. Moreover, 84% of all confidential data loss is generated by an organisation's own internal staff, and the majority of it is due to accidental cases of misuse rather than malicious cases of abuse.
The power of e-mail cannot be underestimated. At the click of a button, one employee can devastate the integrity of a company's reputation and brand, or even ruin an individual's life. For example, an employee at the Palm Beach County Health Department in the US, recently accidentally e-mailed 800 medical staff the complete records of 4,500 patients diagnosed with AIDS and of another 2,000 that were HIV-positive. In addition, hundreds of leaked internal memos containing sensitive information from organisations throughout the world can be accessed simply by visiting websites such as internalmemos.com
In the UK, the City has reported a rise in employees using e-mail and instant messaging (IM) technology to leak commercially sensitive information on purpose and free from detection. This is especially common during merger and acquisition talks, when the confidentiality of information can mean success or failure.
A report by Bourne Research revealed that 50% of those working for UK investment banks now use IM, because its real time nature makes it ideal for exchanging information in informal networks spanning different continents and time zones. However, public IM is not secure and is extremely difficult to monitor, making it a breeding ground for abuse and the perfect medium through which sensitive data can be leaked.
It is not just internal threats like these that must be countered. Organisations need to be aware of the increasingly sophisticated malicious attacks which are designed to extract individual or corporate data. For example, spyware is now being used by politically or financially motivated hackers to monitor how an organisation's network is laid out and where confidential information is located, and key loggers are constantly working to steal passwords and access-restricted data. In addition, the transmission of sensitive information over standard e-mail, even between appropriate personnel, can put a company at risk, as it is not secure and can be accessed by hackers or disgruntled employees.
Security - a boardroom issue
The days of refusal to acknowledge the information security (IS) risks of inappropriate material travelling over the corporate network are long gone. The ramifications of failure to protect sensitive data cannot be underestimated. The Department of Trade and Industry's 2004 Information Security Breaches Survey puts the price of this threat at several billion pounds. The average cost of an incident is £12,000, although there is also the risk that a single event might have calamitous consequences.
Senior managers need to wake up to the fact that everything their employees read, send or receive over the company network contains a threat to the business. They can no longer turn a blind eye to employees' e-mail and internet activity in the belief that what they do not know will not hurt them.
It is a disturbing truth, but, by simply hitting the send button, one employee can destroy years of brand development and generate some extremely damaging front page headlines. Furthermore, lax IS resulting in data leakage can have serious impacts on investor confidence, and this may ultimately have a significant negative impact on the bottom line. Moreover, businesses that fail to take reasonable measures to prevent the leakage of confidential information may be held vicariously liable for breach of confidence if, for example, sensitive client lists are sent to a competitor.
A failure to eradicate practices that threaten the safety of sensitive information may also now lead to fines, or even criminal convictions.
High profile corporate scandals, such as those that engulfed both Enron and WorldCom, have led to a number of legislative and regulatory changes, enacted to protect investors by combating corporate crime and improving corporate governance.
Even if a business is not a subsidiary of a US company and therefore subject to the requirements of US legislation such as Sarbanes-Oxley, it will be affected by the changing and ever more stringent laws in the UK and elsewhere in Europe. These changes are primarily intended to impose tighter regulation of internal controls over financial reporting and disclosure.
They are also designed to strengthen existing privacy laws and compel businesses to develop policies for the monitoring, reporting and archiving of business transactions.
The legislation basically means that nothing should be happening within an organisation that it is unaware of, unable to find or unable to act upon. The ability to monitor, observe and report on all data traffic is essential, and technology is the only way to do this effectively.
Policy, education and technology
To mitigate the many threats to corporate confidential data and to be regarded as an open, transparent and compliant organisation, companies should adopt a three pronged approach to IS by integrating policy, education and technology. Many businesses already filter incoming e-mails to counter the risks of spam or viruses infiltrating the company network, but this is simply scratching the surface of the IS threats that we are faced with.
My own organisation recently found that 24% of corporate e-mail users claim to have received confidential information from sources at other companies, illustrating the inadequacy of the measures that are currently in place to protect against data leakage. As part of good governance, businesses must now monitor all internal and outgoing traffic as well.
Leading filtering technology also enables organisations to customise and define sensitive content in line with their individual business needs.
A comprehensive risk management strategy will ensure that filtering technology is backed up by an acceptable use policy (AUP) that explicitly outlines how employees should use e-mail and the internet in the workplace. The policy must inform staff that monitoring will take place and outline the consequences of a breach, up to and including dismissal. This must be clearly communicated to all workers and backed up with education about relevant security threats and how to deal with them.
To be effective, employees need to understand their own roles and responsibilities and how they can contribute to the company's IS objectives. Importantly, the employer must also show that it is prepared to enforce the AUP whenever a breach occurs, otherwise it is rendered useless.
Both home and mobile working are becoming increasingly common, and while these provide organisations with much greater flexibility, they also bring with them a raft of potential security problems. As the mobile workforce grows, so does the threat to an organisation's data, as many businesses have little or no control over the ways that employees use their business notebooks on the move. To be fully protected, companies must ensure that both the AUP and filtering technology is extended to non-office based conduct so that mobile users do not engage in inappropriate online activity.
As the internet evolves, so too does the nature of the threats to which users are exposed. Businesses must not operate under the misconception that once a strategy has been implemented the problem will be overcome.
This form of complacency will simply serve to leave it vulnerable, as new threats emerge to target the corporate network. In short, having a merely reactive solution in place will always make the business susceptible.
By the time the problem has been identified, the damage may well have already been done.
An attitude change is needed. The CIO, board and IS department must work together to implement the policies, training and technology necessary to protect corporate data. If those at the top fail to take the requisite action they risk a breach of security that could not only damage the company's brand value and destroy shareholder confidence, but could end in their own imprisonment.
- Steve Purdham is CEO, SurfControl, A free copy of SurfControl's 'Changing Attitudes - A UK White Paper on Corporate Governance' can be downloaded at www.surfcontrol.com/go/compliance CORPORATE CONFIDENTIALITY FACTS
- After spam, the leakage of confidential information ranks as the key security issue facing corporations.
- 24% of corporate e-mail users acknowledge receiving confidential information from employees at other companies.
- 84% of confidential information loss is generated internally by employees.
- 74% of corporations acknowledge financial losses due to security breaches.
- 28% of employees have used corporate e-mail to send sexually orientated content to co-workers (3-4% of employees send such material every day).
Source: SurfControl Content Survey 2004
TOP TIPS FOR IT GOVERNANCE
- Have an acceptable use policy in writing, and ensure it is communicated to all employees.
- The IT department must thoroughly understand policy to ensure accurate and appropriate execution.
- Ensure that employee web activity is business related.
- Establish rules to manage employees' e-mail communications and the company's data.
- Manage instant messaging (IM) on the network; it is a part of governance.
- Extend the acceptable use policy to cover the company's mobile workforce and mobile devices.
- Stop unwanted content, to ensure the network is available for business use.