Privacy Advisor

The Insider Threat: How to Ensure Information Security & Mitigate Privacy Breach Risks

October 1, 2006

Joe Fantuzzi, CEO and President of Workshare

Organizations invest huge resources developing security policies and procuring protective technologies that point outwards at hackers, spyware and viruses. However, organizations are beginning to realize that there is another aspect to data security - the inside-out leakage of information. Not only do organizations need to worry about the release of valuable intellectual property, but they also face increased regulation and oversight on issues ranging from consumer privacy to financial disclosure. Companies are juggling all of this in an atmosphere of government and consumer mistrust of business.

Information is Leaking
Information security is a growing problem in organizations of all sizes. Documents that include private customer data and other confidential or otherwise sensitive information are leaving U.S. organizations at an alarming pace through email and other channels such as Blackberry's and USB drives.

Recent research sponsored by Workshare and conducted by The Insight Advantage found that the majority of corporations and government agencies in North America have no idea how much sensitive data is leaking out of their organizations. The information security study's objective was to gather insight from executives who have the following responsibilities in U.S.-based organizations with at least 1,000 employees: IT Security, Risk, Privacy, Compliance, and In-House Counsel regarding the challenges they face in protecting organizational information that is considered confidential, financial or private customer data.

Quick Fixes Don't Alleviate the Problem

Executives who participated in the study represented a broad spectrum of industries, including financial services, government, manufacturing, technology, insurance and healthcare. Results gathered from the 359 executives who participated in the study showed an overwhelming awareness of information security enforcement challenges and the fact that attempts to solve them through point solutions like PDF conversion, encryption and other inadequate technologies are simply not effective. Executives are most concerned about customer data leaking and the subsequent impact, especially negative perception of the organization's brand and loss of customers. Alarmingly, the current solutions used, regardless of industry, fail to solve the problem of information leaking or alleviate executive concerns.

Awareness Only Part of the Cure
The study shows that the level of awareness about the risks and cost of information leaks is high. However, the study also confirms that the recent rash of publicized information leaks is only the tip of the iceberg; information is leaking out of organizations in large volumes. Executives are running on blind faith that the incomplete solutions they have deployed are enough - despite their concern over and the existence of information leaks via electronic channels. This survey serves as a wake-up call to develop and implement a comprehensive data leak prevention assessment and risk mitigation plan.

Threat is Huge
The scope of this "inside-out" information security threat is staggering. According to recent data, the 200 million business users of Microsoft® Office® send more than 100 million documents over email daily. This amounts to more than 125 documents per employee per year. And this number is only taking into account the information shared over email, let alone by way of other electronic means. The threat poses serious risks that have the capacity to cost companies huge sums in lawsuits, regulatory penalties, lost business, intellectual property infringement and unquantifiable damage to the most valuable of assets - reputation. Therefore, the key challenge for in-house counsel and privacy executives is to understand and manage this risk without disrupting the critical flow of information on which the business depends.

Cure the Problem - 5 CRITICAL STEPS

In today's global business environment, information security is an ongoing challenge that requires action, measurement and periodic re-evaluation. Only through commitment and focus can organizations hope to manage the risk associated with business documents and other content leaving the organization.

4 Types of Information Leaks


  • Visible information contained in documents and messages
  • Hidden information in documents and messages
  • Entire documents that must be restricted
  • Format transformation artifacts



Examples of all these types of information leaks are abundant in the media, and have resulted in international political crisis, regulatory penalties, shareholder lawsuits, lost business and damage to reputation.

Managing the risks associated with the exchange of information requires a combination of policy and enforcement. Workshare has developed a systematic approach, based on best practices, to help organizations through the process of developing policy and implementing enforcement. The methodology involves 5 steps as follows:

STEP 1: EDUCATION: In order to accurately assess their exposure, organizations must first understand the types of risk associated with the exchange of business information. Workshare has identified three critical areas of risk: security, compliance and accuracy. Security is defined as the risk that inappropriate information accidentally or maliciously leaves the organization. Compliance is defined as the risk that information exchange policies are not adequately defined, controlled and/or auditable. Accuracy is defined as the risk that documents and other information leave the organization containing incorrect information.

STEP 2: ASSESSMENT:
In the second step, organizations evaluate the level of risk associated with key business processes. In this phase of the process, the organization does an assessment. The assessment evaluates the risk as defined in step one, the existing policies and processes used to manage these risks - or the lack thereof - and user awareness of the risks described.

STEP 3: POLICY DEVELOPMENT: In Step 3, organizations develop ways to classify risk and appropriate mitigation strategies and policies. Many organizations have developed and implemented information risk classifications. Typically, they are structured as follows:

Highly Confidential:
Information in which unauthorized disclosure will cause a company severe financial, legal or reputation damage. Examples include financial transactions, customer contracts, business and negotiation strategies, consumer privacy information and intellectual property such as trade secrets.

Confidential:
Information in which unauthorized disclosure exposes an organization to financial, legal or reputation risk. Examples include employee personnel and payroll files and intellectual property such as customer and distributor lists.

Internal Use Only:
Information that, because of its personal, technical, or business sensitivity is restricted for use within the company and its close advisors.

Unrestricted:
Information that in general can be shared, but must still be monitored and managed to mitigate information security risk.

STEP 4: POLICY IMPLEMENTATION:
Step 4 calls for implementing the education, systems, technologies and process changes necessary to enforce the policies defined in Step 3. Compliance officers and security or legal teams must now find ways to ensure that policy is enforced. This involves implementing a number of changes across the organization:

  • Educational Changes
  • Process Changes
  • Technical Changes



STEP 5: COMPLIANCE AUDITING: Step 5 requires that organizations commit to ongoing and regular auditing of compliance levels and gaps between actual and targeted results.

Organizations must put in place mechanisms to monitor and audit the enforcement, appropriateness and effectiveness of their information security safeguards. The organization should conduct regular audits of compliance levels across the three critical areas of risk, security, accuracy and compliance. This could involve reviewing "sample" sets of documents or emails at random or analysis that is more empirical to track how many Microsoft Office documents left the company perimeter containing hidden data or a visible content violation over a certain period.

Conclusion

The 5-step approach is not intended to be a comprehensive answer to information security concerns, but rather a series of best practices, highlighting the key areas to consider: understanding the areas of information security vulnerability, assessing the scope of the risk within the organization, developing risk mitigation policies and implementing them, and finally, carrying out regular audits to ensure policy compliance.

Information security is an ongoing issue that requires action, measurement and periodic re-evaluation. Only through commitment and vigilance, can organizations manage the risk associated with business information and adopt effective measures to keep the regulators away while the customers stay - knowing that they are doing business with an organization they can trust and rely on to safeguard their information.

Joe Fantuzzi is CEO and President of Workshare. He is an expert at creating well-timed, high-growth businesses in broad markets. Bringing more than 20 years experience to Workshare, Fantuzzi helped create $3 bn market valuation as an executive for industry leaders in document creation (Interleaf), multimedia (Macromedia), 3D graphics (Autodesk) and online CRM (Kana). Previous to Workshare, Joe was CEO at Liquid Engines, creating the first strategic tax management application for global enterprises and attracted the Carlyle Group as its lead investor. Prior to this, Fantuzzi was co-founder and CEO at NetDialog, a venture-backed firm sold in 1999 to Kana (US $100m). He also served as General Manager at Autodesk Discreet, growing the company's market share from 20 percent to 65 percent. Fantuzzi was Worldwide Marketing VP at Macromedia from private firm through to its public offering, and International Sales and Marketing Director at Interleaf from private firm through to its public offering.


Data On the Data Leaks


  • 94 percent of respondents reported having no visibility into how many email messages containing confidential or private information were leaving their organization each month or believed that some leaks were occurring.
  • Only 6 percent reported no information leaks.
  • 80 percent of participants reported having information leaks - through email or other electronic channels such as Blackberrys or HTTP postings - or admitted to no visibility to leaks that occurred within their organization last year. Of those, 17 percent were afraid to know how many leaks they had.
  • More than 70 percent now believe PDF does not secure information, a growing trend from a recent rash of publicized information leaks in PDF documents. Alarmingly, 46 percent are still relying on PDF file conversion to enforce their information security policies.
  • 68 percent stated personally identifiable customer data poses the greatest information risk and 56 percent said a leak of this type would result in their company losing customers.
  • 57 percent do not have a specific method for enforcing data privacy and document security policies.
  • While 100 percent of respondents consider it important to protect information within their organizations, 80 percent consider it "extremely important."


Source: Workshare, The Insight Advantage