News 

Smartphones, laptops, webmail accounts and USB sticks are all used by employees to legitimately horde company files they might need, but the consequences can be grave.

With so many potential holes to plug, British organisations are struggling to keep data safe, according to research from the Ponemon Institute. Nearly two-thirds of companies experienced data leakage in the two years to June 2008, it claims.

Data leakage is "the number two company security concern after malware," said Laurent Gondicart, director of business development for EMEA at Trend Micro. "The top leakage problem is USB keys, then corporate emails (like accidentally replying to all) and webmail."

A report by Proofpoint last year found that a fifth of outbound emails result in legal, financial or regulatory exposure. "Gmail and Hotmail, for example, use SSL for security, so it's difficult to see what's going out," added Gondicart. "If it's not being monitored, you don't know how much data you are losing."

Unplugged leaks

Yet, partially because companies don't want to stop employees working outside of the office, they continue to permit workers to use USB sticks and send attachments to home email accounts.

Security firm McAfee says 132 million sensitive documents are removed from company premises on mobile devices every week, and nearly four out of ten companies have no policy for dealing with sensitive documents. Even among firms with strong policies, poor enforcement means they're pointless. "The most glaring nonsense is believing that policy and training is the solution," said Mark Fullcroft, CEO of Cyber-Ark. "I've been trained to drive, but that doesn't mean I don't break the speed limit. You can have rules in place but people ignore them. Training isn't enough - slap technology on the problem to lock things down."

Data-leakage prevention software can lock down elements of the system, disable USB ports or impose digital rights management that governs which files specific employees can copy. It's designed to inspect content throughout the enterprise to keep private data within the organisation.

In the world of converged communications this is vital.

ADVERTISEMENT

Research from IM company ProcessOne claims only 12% of firms monitor instant messaging conversations. "In many cases - under Sarbanes-Oxley [regulations] if you're dealing with a US company - you have to keep an audit trail of IM conversations and emails, but many companies don't know this," said ProcessOne CEO Mickaël Rémond.

And there are other IM leakage concerns, too. "With public IM, you don't have any guarantee you're dealing with who you think you are, so there's potential for phishing attacks."

Smartphone spillage

And as workforces grow increasingly mobile, more devices need to be locked down. A recent survey commissioned by leakage-prevention company GuardianEdge found 70% of smartphone users think it's critical to their job to access sensitive information on their handset, often using their own unsecured phone. "With more powerful phones carrying more information, and increasingly connected to corporate infrastructures, it's only a matter of time before smartphones lead to a data breach," said GuardianEdge's Ram Krishnan, who spoke to PC Pro shortly before a government aide had his BlackBerry stolen in a honeytrap sting in China.

On top of costs to reputation, loss of data could also attract large fines from the Information Commissioner's Office, which enforces the Data Protection Act. Firms have to protect personal data, and face sanctions if they lose sensitive information but often they don't own up to data breaches. Even if they do, it's cheaper to pay the fines than implement expensive software for monitoring exchanges.

"In the US, people and companies are much more aware than in Europe because the legislation is much stronger," said Gondicart. "In Europe, many large company can live with the fines - they're not high enough to make the investment worthwhile."

Another problem that hampers keeping data in-house is the scale of records that mount up. There are different rules for how long to hold records. In banking and accountancy it's seven years, if it's medical it's for the life of the patient. "Rules about retention take no notice of whether the communication was on paper or in an email," said Rosemary Jay, a data protection specialist at law firm Pinsent Masons.

"If you were talking about a contract or records, you'd need to keep the email for at least the duration of the contract. The longer you have to keep data, the higher the chance of losing it."

As data mountains continue to grow, the odds of more and more information seeping out of organisations seem greater than ever.