Data leaks - what can we do?

I’ve been giving a lot of thought to the subject of data leakage and associated risks to the business. The problem we have right now is getting a handle on all the different vectors that data leakage can occur. Even when we do have a good idea of the scope of the subject there is probably little we can do in some instances to have the level of control that we would want over what information about our businesses is made available in the public domain.

If I were to identify one of the problems, it’s this. Data might be considered to be an asset but the lack of a solid definition around what is and what isn’t private, and the many different ways that data gets communicated has cheapened the perception of its value. There is also a fuzzy edge to the scope of business data. for instance, if I write about my organisation on this blog, does that then become business data?

Gartner have done some research on the subject in a paper by Jay Heiser entitled “Understanding Data leakage.” Jay makes the point that “It is impossible to know your organization’s rate of data leakage” and goes on to ask: “If data leaves the enterprise but nobody is aware of it, did it really leak?” Good question but I think the answer depends on who took the data out. The paper goes on to talk about the usual controls such as accessibility and preventing people using USB devices. That’s all well and good but that then leaves those who have access to the data most likely to be ones to leak it – deliberately or inadvertently. The controls don’t, for instance, prevent the CFO from having his briefcase pinched from his car while he pops into the shop to buy some milk on the way home. The controls don’t prevent his secretary from talking about what she heard in the office at the bar in the pub.

Apparently 52% of data leakages are from internal sources but of this only 1% is malicious. The corollary of this is that the level of inadvertent data breach is significant (96%). This is further deconstructed to 46% being due to employee oversight, and 50% due to poor business process (See “Data Leakage – Threats and Mitigation” by Peter Gordon). The same paper concludes by saying that the “biggest threat is probably not the external attacker (be it cracker, phisher, or social engineer), nor malicious employee, but instead the unaware employee inadvertently divulging sensitive data.” The author then simply thows his hands in the air and finishes off by saying that a “combination of technological protection, policy and process, and education should help plug this leak.”

That’s a big cop out. It might have worked ten years ago but now if I’m determined enough to find out something that I want to know then maybe I’ll just create a linkedIn account under the name of somebody senior in your company and see who’ll be my friend. Or perhaps I’ll just spend half an hour cross referencing the thousands of other useful online resources using nothing more than Google and a pencil. Maybe, I’ll just sit close to somebody from the organisation on the train and look at what’s on his laptop screen.

Technical controls, policy, education etc probably all work to some degree – they have some affinity to preventing data leakage. Let’s consider the consequences of a data.

According to the Ponemon Institute 2006 Annual Study: Cost of a Data Breach, the total cost amounts to $182.17 for every record lost and over $148million across all 31 companies surveryed for the report. That’s big money. Here’s a question. Were all those companies totally lacking in having policy, awareness and technology in place to prevent a data breach?

Of course not, some of them undoubtably had state of the art controls in place. We can lower our vulnerability to losing data through various controls but the threats are increasing at a disproportionate pace.

So, this is an open ended conversation because I don’t have any new solution to propose. For my own part I’m going to keep on trying to manage threats to company data through all the usual and expected means. Your homework this week is to list all the different ways that data can leak from your organisation and the worst case consequences from each scenario.

Here are some links for further reading….

Ponemon Report:

Web article: Messaging insecurity fuels data leakage fears;

Laptop Security Blog:

Data Auditing Blog: