Disaster Waiting to Happen

The answer, probably, is yes. Hardly a week goes by without a high-profile data leak in the headlines. Home Depot, TJX, the VA, Pfizer, Monster.com, and AOL, to name only a few, have all suffered through the bad PR and legal problems that accompany data loss.

A related problem is intellectual property (IP) theft. The ease with which insiders can access, copy and move sensitive data keeps IT security pros up at night. Stories abound about insiders selling IP, using it to start their own companies or leveraging it for job offers with competitors.

In one instance, the executives of NeoGenesis Pharmaceuticals were so alarmed by the ease with which insiders could compromise IP that they set out to create a security company that would address the problem, Verdasys. An insider was attempting to steal drug formulas to start a new company, and what alerted executives was not any IT security alarm but a suspicious purchase order for CD-ROMs.

This scenario is far from unusual. What is unusual is that NeoGenesis spotted and stopped the theft. Study after study points to the rise of insider attacks. According to the U.S. Commerce Department, IP theft costs U.S. business about $250 billion each year, while also slashing nearly 750,000 jobs from the U.S. economy.

Seemingly innocuous, potentially disastrous

Data leaks and IP theft have various causes, from inadequate authentication to improperly stored data to lost laptops, but there is usually one underlying problem: flawed business processes. A bad business process can open the door to outsiders, tempt insiders or simply aid and abet a hacker or malicious insider.

A “business process” is a nebulous enough concept, but when it comes to identifying faulty ones, where do you even begin? The first thing is to understand how seemingly innocuous these can be.

Steve Roop, VP of product marketing and development for Vontu, a data loss prevention (DLP) vendor, has seen a number of small errors expose organizations to huge risks.

“Examples range from the silly to the malicious,” Roop said, “but even the silly ones can be extremely dangerous.”

Vontu has exposed a number of bad business processes. For example, a large company they work with hires an average of 400 employees per week. Each of those new hires needs business cards. The trouble is that HR has for years been sending copies of spreadsheets to their printer, the same sheets that have employees’ social security numbers, dates of birth, and other information that would put them at risk for identity theft.

“For companies to substantially reduce the risk of information loss, they need to take a risk-based approach to data security,” said William Munroe, VP of marketing for DLP vendor Verdasys.

At the heart of a risk-based approach to security is a rethinking of the most basic of 21st-century business processes: how data is created, stored, altered and moved. In essence, anything that finds its way onto desktop and other endpoints exists in the data equivalent of the Wild West. Most application servers and databases are fairly well protected, but few, if any rules, govern how data on the desktop is manipulated, replicated and stored.

Once data migrates to the desktop, it can be burned onto CD-ROMs, copied onto USB drives or MP3 players, and emailed to anyone, anywhere. Many organizations have woken up to one risk -– email -– but even there security is still more about outsiders (spam and phishing scams) than insider risks.

Next page: Five steps to protect data…