Senior managers may have often come across instances where a bid has been lost by a narrow margin, a competitor has released a similar-looking product, or a trade secret has been patented by the competition. These incidents are neither isolated, nor as coincidental as they may appear. Lack of reporting, hush-ups, or failure to detect the real causes, are some of the reasons why such incidents are not in the limelight. But these incidents result in a loss of business plans, product designs, commercial information and even the customer’s private information like credit card data. Besides the financial loss, stolen information is often used for blackmail or to damage the reputation of the corporate.
The problem arises because it is difficult to secure unstructured data (proposals, business plans, etc) as opposed to securing structured data (databases). Unstructured data is normally unique, created by individual employees, and its use is determined by the employees rather than a business process or application. For example, in most companies, the employee who creates a business plan decides who to share it with, where to store it, and so forth. This plan to secure unstructured data could be just one of the numerous pieces of information the employee creates, and, over a period of time, fails to track or safeguard. Do we remember all the pieces of information we created on our computers? I guess not. The situation may be compounded by a failure to secure unstructured data via encryption technologies resulting in additional avenues for compromise.
Solutions to secure unstructured data are not easy to implement due to various factors. However, the problem can be contained by implementing the steps outlined below.
Identify critical unstructured information assets
The value of information assets depends on its nature and relevance at a point in time. For example, a copy of a proposal prior to bid opening is more valuable than the same information post-bid opening. The top 10 ongoing proposals may constitute 80% of an organization’s business, and are therefore more valuable than other proposals. The first step to secure unstructured data should be to profile what constitutes vital information assets, and the time at which they are relevant (and therefore important). While it may not be possible to create a register for this information, employees can be made to comply with information classification policies and specific mechanisms can be set up to secure unstructured data.
Identify which employees possess critical unstructured data
Vital information assets are not in the possession of many employees. Critical unstructured data usually remains with a few employees like senior management, secretaries, and other key personnel. These may at best comprise 10% of an organization’s staff. Identification of employees who hold vital data can help with targeted security safeguards. This will be more effective than a generic widespread security program.
Implement separate technology and process controls to protect data assets
Technical and procedural safeguards for desktops and laptops can be enhanced for the identified key employees. Safeguards to secure unstructured data should be a combination of procedural measures to reduce the exposure of information to helpdesk staff, and technical countermeasures such as laptop encryption and encrypted communication channels.
Set up a reporting mechanism to identify suspicious business losses
Market surprises such as lost deals and look-alike products should be carefully examined for the possibility of information leaks, and for determining if a certain employee is a common factor in more than one such occurrence. A confidential reporting mechanism backed by clear processes may also help in identifying suspicious behavior in employees.
Use DLP or email monitoring to monitor sensitive data
Monitoring of sensitive unstructured data is at best nascent. Use technologies such as email monitoring and DLP for monitoring information flow to and from suspected employees.
Design training programs for targeted employees
Many employees do not understand risks that are unseen or occur over long periods of time. People are also typically trusting of close colleagues. Develop training programs that deal specifically with security risks related to unstructured information; the programs should be illustrative and convey the benefits an employee can derive by taking precautions. For example, a lost proposal may cost a sales person his incentive.
Create a culture where it is not improper to refuse information on a need-to-know basis
Top management should lead in creating a security-aware culture among the identified key employees. Often, people may share important documents because they feel others may be offended if refused access. Information should be shared and circulated only on a need-to-know basis as this reduces the exposure of unstructured data during circulation and storage.
About the author: Lucius Lobo is the director for security consulting at Tech Mahindra. He is a Certified Information Systems Security Professional (CISSP), with close to 18 years of experience in the communications and security industries. Over the last few years, Lobo has been responsible for providing thought leadership and consultancy, in developing new security solutions for next generation telecom companies across the globe.