Lock up data or lose it

Confidential data leakage can be devastating, but the cause is often ignorance rather than malicious intent

Confidential data leakage can be devastating, but the cause is often ignorance rather than malicious intent

Many senior managers recognise that almost all their sensitive data is stored in electronic format and that a considerable percentage of it sits within their e-mail systems.

The very real threat is that this information is totally unsecured and can be sent from anyone in the company to anyone outside at any time.

The problem is compounded by ever-evolving external attacks from hackers, spyware and phishing, which is why implementing a comprehensive corporate governance strategy is a necessity rather than a luxury.

Confidential data leakage can not only cause irreparable harm to a companyÕs reputation and damage investor confidence, but could also lead to massive fines and even criminal convictions.

Yet it is shockingly easy for employees to accidentally leak confidential information via e-mail. In a recent SurfControl survey, 74% of UK businesses admitted they had sustained financial loss because of such security breaches.

Moreover, 84% of all confidential data loss is generated by an organisationÕs own staff, mostly because of accidental misuse rather than malicious abuse.

But it is not just internal threats that must be mitigated. Organisations need to be aware of increasingly sophisticated malicious attacks designed to extract individual and corporate data.

For example, spyware is being used by politically or financially motivated hackers to monitor how a network is laid out and where confidential information is located, and key loggers are constantly working to steal passwords and access-restricted or personal data.

The days of not acknowledging the information security risks of inappropriate material travelling over the corporate network are long gone and the ramifications of failing to protect sensitive data cannot be underestimated.

Senior managers need to wake up to the fact that everything their employees read, send or receive over the company network contains a threat to the business. They are no longer able to turn a blind eye to employeesÕ e-mail and internet activity in the belief that what they do not know will not hurt them.

One employee hitting the send button can destroy years of brand development and generate some extremely damaging front-page headlines. If lax information security leads to a data leak, it can seriously affect investor confidence, which ultimately can have a negative effect on the bottom line. Businesses that fail to take reasonable measures to prevent the leakage of confidential information may be held liable for breach of confidence if, for example, sensitive client lists are sent to a rival.

A failure to eradicate practices that threaten the safety of sensitive information may also lead to fines and even criminal convictions

The Enron and WorldCom scandals have led to legislative and regulatory changes to protect investors by combating corporate crime and improving corporate governance.

Even if a business is not a subsidiary of a US company and so not subject to the requirements of US legislation such as Sarbanes-Oxley, it will be affected by the changing and ever more stringent laws in the UK.

The tightening of regulations in financial reporting and the strengthening of existing privacy laws compel businesses to develop policies for monitoring, reporting and archiving business transactions, which include e-mail and instant messaging.

The new legislation means that nothing should be happening within an organisation that it is unaware of, unable to find or that it cannot act upon.

To mitigate the many threats to confidential corporate data and to be regarded as open, transparent and compliant, companies should adopt a three-pronged approach to information security by integrating policy, education and technology. Many businesses already filter incoming e-mails to prevent spam and viruses from infiltrating the company network, but this is simply scratching the surface of the information security threats we face.

As part of good governance, businesses must monitor all internal and outgoing traffic. Filtering technology also enables organisations to customise and define sensitive content in line with their individual business needs.

A comprehensive governance strategy will ensure that filtering technology is backed up by anacceptable use policy that explicitly outlines how employees should use e-mail and the internet in the workplace. The policy must inform staff that monitoring will take place and the consequences of a breach could result in action up to and including dismissal.

This must be clearly communicated to all workers and backed up with education about relevant security threats and how to deal with them. Importantly, the employer must also show it is prepared to enforce the policy whenever a breach occurs, otherwise it is rendered useless.

An attitude change is needed by companies to take responsibility for internal processes and communications to effect good corporate governance, compliance and network security. The chief information officer, board and information security department must work together to implement the policies, education and technology necessary to protect corporate data.

If those at the top fail to take action, they risk a breach of security that could not only damage the companyÕs brand value and destroy shareholder confidence, but could also ultimately end in their own imprisonment.

Steve Purdham is chief executive at SurfControl

SurfControl can be found at InfoSecurity at stand number 500

Download a free copy of Changing Attitudes, a UK White Paper on corporate governance, at www.surfcontrol.com/go/compliance

Read more on Privacy and data protection