The assault of data breaches continues to dominate the news, and neither high tech giants nor big retailers are immune: Apple, Google, Sony, Epsilon, Michaels, and the list goes on. This onslaught most assuredly will continue as companies struggle to operate securely in a more mobile world and in the cloud. A single breach or leak of sensitive data — such as customer account records or credit card information or a company's plans for a next-generation product — can be devastating to a business in terms of competitive edge, revenue loss, and credibility.
With all the enterprise IT security applications and strategies that exist today, hackers and data leaks still manage to rear their ugly heads and expose the glaring gaps in organizations' ability to protect sensitive information. A key threat continues to be an authorized user who becomes malicious or an employee or partner who is simply careless. Many times, a technically inept employee with no intention of causing harm can create just as much bottom-line pain as someone intent on revenge. And with an IP breach or leak, the sensitive information of a company or its customers will forever remain at risk because the files can be copied repeatedly and/or stored anywhere on the Internet. Here are a few steps you can take to head off potential breaches.
1: Determine where and how sensitive information is used in your organization
Committing to an information governance strategy and making it a priority is the first step in classifying the types of information that pose risks to businesses. The Sony breach in April provided an object lesson here. According to testimony at a May 4 Congressional hearing, the company failed to use firewalls and neglected to update software that could have helped prevent the loss. And just as Sony is attempting to get back on its feet from that attack, it appears another embarrassing breach has occurred.
2: Protect files in addition to systems
This protection can be done by embedding security mechanisms directly in files themselves, without requiring client software or changing how users work. With today's mobile, cloud-based environments, that security/protection must follow the data, or the file itself, as well as provide the ability to remotely destroy the file if needed.
With advanced file protection, organizations can automatically enforce usage and protection policies for groups of sensitive files, embedding specific policies that determine how sensitive files that meet certain criteria can be used to limit who is allowed to open or forward them.
For example, organizations pay great attention to preventing leaks internally, but they can't impose internal policies on clients and suppliers who have access to sensitive information as part of business relationships. Financial services is one industry where this security problem is constantly appearing. If investment bank research information is leaked to a trading floor, insider trading concerns can spring up and catch the SEC's attention. On the other side of the coin, if investors do not have secure access to authorized research, they'll lack the information necessary to green light financing. Having the ability to enforce policies can allow investors, analysts, and others to share information safely and ensure that sensitive documents do not fall into the wrong hands.
3: Tag and track your organization's files both actively and passively
This can include digital watermarks, visible or invisible, embedded in the file. (An invisible watermark provides a registered company Copyright ID and a unique document identifier that can be logged and monitored as part of a detailed audit process.)
File tracking can pinpoint where a file is opened once it leaves the corporate network anywhere on the Internet. It should capture detailed file usage activities in real-time, letting IT know immediately when a file was opened, where it was opened, and if it was sent anywhere else.
Imagine an employee's laptop is the victim of a malware attack, and that employee has unfortunately stored a number of spreadsheets containing sensitive customer data on the computer. If the spreadsheet files have been tagged, the IT department can track and determine where the files are being read and even kill them remotely if necessary.
4: Collect usage statistics about your organization's files
Understanding document usage statistics can help put policy discovery in place right at the point of enforcement. If a business monitors where information goes out of its network over time, it begins to understand employees' habits and behaviors. This trending knowledge can heighten an organization's ability to identify changes to pattern behavior.
If a business collects real-time statistics about where a file is being used, when it is opened, and perhaps by whom, you can expose unauthorized access immediately. For example, a merchant's customer who resides in New York may receive a receipt for a purchase made on the merchant's site, and then later, the merchant may be notified that it was also opened in China or Russia, which is unexpected behavior. The merchant can then take necessary action.
5: Continue employee compliance and education training
Organizations should continue to comply with best practices for implementing traditional "depth in defense" systems (VPN, identity management, firewalls, device protection, intrusion prevention and detection, etc.). They should also follow well-documented, easily accessible privacy policies that outline how employees handle private data, with clearly defined consequences and plans to mitigate risks immediately.
File protection is key
Current security technologies successfully limit access to a company's sensitive files and information to authorized users within the confines of their corporate networks. However, once information leaves a company's network without a way to monitor or track it, or if an authorized user goes rogue and maliciously decides to share sensitive data, you have a problem. Bottom line: Your overall security strategy must now include file protection to address this glaring gap in information security.
Rob Marano is president and CEO of InDorse Technologies, which he established in 2006. Rob is also a professor at The Cooper Union and NYU.