Confidential data leakage can be devastating, but the
cause is often ignorance rather than malicious intent
Many senior managers recognise that almost all their sensitive
data is stored in electronic format and that a considerable
percentage of it sits within their e-mail systems.
The very real threat is that this information is totally
unsecured and can be sent from anyone in the company to anyone
outside at any time.
The problem is compounded by ever-evolving external attacks from
hackers, spyware and phishing, which is why implementing a
comprehensive corporate governance strategy is a necessity rather
than a luxury.
Confidential data leakage can not only cause irreparable harm to
a companyÕs reputation and damage investor confidence, but
could also lead to massive fines and even criminal convictions.
Yet it is shockingly easy for employees to accidentally leak
confidential information via e-mail. In a recent SurfControl
survey, 74% of UK businesses admitted they had sustained financial
loss because of such security breaches.
Moreover, 84% of all confidential data loss is generated by an
organisationÕs own staff, mostly because of accidental misuse
rather than malicious abuse.
But it is not just internal threats that must be mitigated.
Organisations need to be aware of increasingly sophisticated
malicious attacks designed to extract individual and corporate
data.
For example, spyware is being used by politically or financially
motivated hackers to monitor how a network is laid out and where
confidential information is located, and key loggers are constantly
working to steal passwords and access-restricted or personal
data.
The days of not acknowledging the information security risks of
inappropriate material travelling over the corporate network are
long gone and the ramifications of failing to protect sensitive
data cannot be underestimated.
Senior managers need to wake up to the fact that everything
their employees read, send or receive over the company network
contains a threat to the business. They are no longer able to turn
a blind eye to employeesÕ e-mail and internet activity in the
belief that what they do not know will not hurt them.
One employee hitting the send button can destroy years of brand
development and generate some extremely damaging front-page
headlines. If lax information security leads to a data leak, it can
seriously affect investor confidence, which ultimately can have a
negative effect on the bottom line. Businesses that fail to take
reasonable measures to prevent the leakage of confidential
information may be held liable for breach of confidence if, for
example, sensitive client lists are sent to a rival.
A failure to eradicate practices that threaten the safety of
sensitive information may also lead to fines and even criminal
convictions
The Enron and WorldCom scandals have led to legislative and
regulatory changes to protect investors by combating corporate
crime and improving corporate governance.
Even if a business is not a subsidiary of a US company and so
not subject to the requirements of US legislation such as
Sarbanes-Oxley, it will be affected by the changing and ever more
stringent laws in the UK.
The tightening of regulations in financial reporting and the
strengthening of existing privacy laws compel businesses to develop
policies for monitoring, reporting and archiving business
transactions, which include e-mail and instant messaging.
The new legislation means that nothing should be happening
within an organisation that it is unaware of, unable to find or
that it cannot act upon.
To mitigate the many threats to confidential corporate data and
to be regarded as open, transparent and compliant, companies should
adopt a three-pronged approach to information security by
integrating policy, education and technology. Many businesses
already filter incoming e-mails to prevent spam and viruses from
infiltrating the company network, but this is simply scratching the
surface of the information security threats we face.
As part of good governance, businesses must monitor all internal
and outgoing traffic. Filtering technology also enables
organisations to customise and define sensitive content in line
with their individual business needs.
A comprehensive governance strategy will ensure that filtering
technology is backed up by anacceptable use policy that explicitly
outlines how employees should use e-mail and the internet in the
workplace. The policy must inform staff that monitoring will take
place and the consequences of a breach could result in action up to
and including dismissal.
This must be clearly communicated to all workers and backed up
with education about relevant security threats and how to deal with
them. Importantly, the employer must also show it is prepared to
enforce the policy whenever a breach occurs, otherwise it is
rendered useless.
An attitude change is needed by companies to take responsibility
for internal processes and communications to effect good corporate
governance, compliance and network security. The chief information
officer, board and information security department must work
together to implement the policies, education and technology
necessary to protect corporate data.
If those at the top fail to take action, they risk a breach of
security that could not only damage the companyÕs brand value
and destroy shareholder confidence, but could also ultimately end
in their own imprisonment.
Steve Purdham is chief executive at SurfControl
SurfControl can be found at InfoSecurity at stand number 500
Download a free copy of Changing Attitudes, a UK White Paper on
corporate governance, at www.surfcontrol.com/go/compliance