Confidential data loss
July 27, 2006, 9:13pm PDT | Length: 00:05:18
Data theft is one of the biggest security headaches for companiestoday. Joe Fantuzzi of Workshare explains how all networks arevulnerable and the steps you can take to secure them.
I'm Joe Fantuzzi, CEO at WorkShare. Today I'm here to talkto you about confidential data loss. This is happening everywhere. In the lastyear alone, 30 companies and governments have been reported as having majorgaffs of information leaving the inside of their data networks out to somebodyoutside of the organization where there was a risk of loss. Let me talk aboutexamples at work, on plane or at home for mobile warriors and other mobilewarriors who are at customer sites.
Let's take the first example. SoftBank, an organization thatis in Japan, recently lost a thousand names and addresses of Yahoo emailpeople, and they lost also some personal social security information. Whathappened in that case is that SoftBank had to pay $40 million for thosethousand names. That's a $1,000 per name.
Another example close to home is the Veteran'sAdministration. The VA lost 26.5 million names of VA records from 1975 topresent. Those records cost U.S. taxpayers $16 million to set up a call centerjust to notify all those people, and now there's a class action lawsuit of$26.5 billion against the VA and the U.S. government for that loss. A thirdexample is Ernst & Young. At a customer site called Hotels.com, one of theErnest & Young folks actually moved information out, 250,000 names, and we'veyet to know what the cost is going to be.
Now how do these things happen and what are ways technologycan help prevent confidential data loss? Let's look at the at work example. Inthat case, what actually happened is information that was not analyzed went throughthe corporate firewall, through the internet to the undisclosed recipient. Whatshould have happened is using technologies known as keywords and numericmatching for in this case the social security numbers, what would have happenedis the organization analysis would have been to take that email which wentthrough a document attachment and bounce it back to the user saying this is notallowed. Would have prevented that loss, and a $40 million fine.
In the case of the VA, there's a similar set of technologies.What happened here is that the information moved in a theft at a gentleman'shome. The employee took the data home and it moved directly to the person whostole the laptop from home. Now how could that have been prevented? There areways to do that. One is to use something called encryption and coupled withsomething called rights management. Encryption for data in transit wouldactually lock down that data, scramble it, so that when the user closed hislaptop, no one would be able to use that information. And then if somebody didget hold of that information at the other end, rights management could haveself-destructed the information because they were undisclosed recipient uponentering their name or their password.
The final situation at Ernst & Young is even moresubtle. This employee wanted to move confidential information from theHotels.com site but was blocked either by a firewall at the Hotels.com site orwouldn't get the information back here to be checked for confidentiality to whomhe was sending it to. What he actually did was use the personal email thatactually moved the information through the internet without that checking at asafe zone at his corporation. And what he did was sent that informationinadvertently to the wrong person, creating the gaff.
What could have solved that problem was the combination oftwo technologies. One is fingerprinting and the other is what we call end-pointanalysis. What would have happened in this case is the database that had theHotels.com information would have been fingerprinted, the information wouldhave been analyzed, and he would not been able to have sent that informationout.
As we've seen, vulnerabilities exist that lead to largeorganization and personal costs at work, on the road and at a customer site.There are technologies that exist that can help you at work, they can help youon the road, and they can help you whether you're at a customer site to secureagainst these types of confidential data loss.