PC Probe: Critical data goes out of the back door

• 
• 

 1 of 2

Gallery

Posted on 5 Sep 2008 at 15:08

While stolen laptops, Trojan-horse malware and hackers grab security headlines, the majority of data leaks out of companies via the pockets, briefcases and emails of employees.

Smartphones, laptops, webmail accounts and USB sticks are all used by employees to legitimately horde company files they might need, but the consequences can be grave.

With so many potential holes to plug, British organisations are struggling to keep data safe, according to research from the Ponemon Institute. Nearly two-thirds of companies experienced data leakage in the two years to June 2008, it claims.

Data leakage is "the number two company security concern after malware," said Laurent Gondicart, director of business development for EMEA at Trend Micro. "The top leakage problem is USB keys, then corporate emails (like accidentally replying to all) and webmail."

A report by Proofpoint last year found that a fifth of outbound emails result in legal, financial or regulatory exposure. "Gmail and Hotmail, for example, use SSL for security, so it's difficult to see what's going out," added Gondicart. "If it's not being monitored, you don't know how much data you are losing."

Unplugged leaks

Yet, partially because companies don't want to stop employees working outside of the office, they continue to permit workers to use USB sticks and send attachments to home email accounts.

Security firm McAfee says 132 million sensitive documents are removed from company premises on mobile devices every week, and nearly four out of ten companies have no policy for dealing with sensitive documents. Even among firms with strong policies, poor enforcement means they're pointless. "The most glaring nonsense is believing that policy and training is the solution," said Mark Fullcroft, CEO of Cyber-Ark. "I've been trained to drive, but that doesn't mean I don't break the speed limit. You can have rules in place but people ignore them. Training isn't enough - slap technology on the problem to lock things down."

Data-leakage prevention software can lock down elements of the system, disable USB ports or impose digital rights management that governs which files specific employees can copy. It's designed to inspect content throughout the enterprise to keep private data within the organisation.

In the world of converged communications this is vital. Research from IM company ProcessOne claims only 12% of firms monitor instant messaging conversations. "In many cases - under Sarbanes-Oxley [regulations] if you're dealing with a US company - you have to keep an audit trail of IM conversations and emails, but many companies don't know this," said ProcessOne CEO Mickaël Rémond.

And there are other IM leakage concerns, too. "With public IM, you don't have any guarantee you're dealing with who you think you are, so there's potential for phishing attacks."

Smartphone spillage

And as workforces grow increasingly mobile, more devices need to be locked down. A recent survey commissioned by leakage-prevention company GuardianEdge found 70% of smartphone users think it's critical to their job to access sensitive information on their handset, often using their own unsecured phone. "With more powerful phones carrying more information, and increasingly connected to corporate infrastructures, it's only a matter of time before smartphones lead to a data breach," said GuardianEdge's Ram Krishnan, who spoke to PC Pro shortly before a government aide had his BlackBerry stolen in a honeytrap sting in China.