Messaging Newswire
Follow Us on Twitter
Facebook Page
Google Plus Page
RSS feeds
Keeping Watch Over Data
Widgets & RSS FeedsWith the TJX Companies June announcement of its settlement with a multi-state group of 41 Attorneys General, resolving the States’ investigations relating to the criminal intrusions into TJX’s computer system two years ago, a chapter closed on one of the biggest data loss stories thus far. Under the settlement, TJX has agreed to provide a settlement amount of $5.5 million (USD) together with $1.75 million (USD) to cover expenses related to the States’ investigations, and an additional $2.5 million (USD) to establish a new data security fund for use by the States to advance effective data security and technology. The company also said it would encourage the development of new technologies to address systemic vulnerabilities in the United States payment card system.
External threats, such as those experienced by TJX, have made headlines in recent years, but some say it is actually internal threats that need visibility. According to Economic Downturn Drives Increased Spending in IT Security Worldwide, a whitepaper published by GMG Insights, a provider of analysis, research and strategy services: “External threats have long received primary attention, but while the risk is every bit as real, most companies have mature systems and processes to address these problems. However, internal threat management is far less mature but constitutes a greater concern for many companies given the current (economic) conditions.” The paper goes on to say that internal threats are a growing concern for both mid-market and enterprise organizations stating, “Of mid-market companies, 67 percent believe layoffs have increased the exposure of IT systems and 73 percent of enterprise organizations agree.”
“It is an interesting time for sure with the economy and the state that it is in,” comments David Miller, director of CA security management business unit for CA. “It drives people to do things that they might not have normally done. We hear folks willingly admit they’re breaching company policy and taking sensitive data upon their departure.” Is this a malicious act on the employee’s part? “I guess it is malicious in that you are breaking company policy and other kinds of regulatory requirements,” responds Miller. “A lot of folks might say: ‘If I lose my job, I could really use this information when I get to my next one and hit the ground running.’ We are seeing a lot of that actually. In a recent survey 50 percent said they would willingly take company owned data—non-public information or intellectual property—with them, as they were terminated or left their job. In this environment it is much more sensitive. There is a confluence of factors in the marketplace, which is why data loss prevention (DLP) is poised for a very big year, even with budget cutbacks.”
A Growing Market
Protecting data is drawing more attention from organizations as compliance regulations and privacy concerns affect more industries than traditional ones like financial or health, which have had robust DLP solutions for some time. “We expect 70 to 75 percent of the global market to be driven by regulatory compliance and privacy protection—maybe even 80 percent,” says Mark Bloom, global product marketing, DLP for Trend Micro. “Some analysts have it at 90 to 95 percent driven by privacy protection, but we are not seeing that.” Bloom says a frequently asked question is: If my enterprise has already built a solid defense, why would I need data leak protection too? “Defending the network from external threats is critically important,” replies Bloom. “This is because the volume, severity and sophistication of external attacks have never been greater. However, threat protection does not stop there. You also have to consider threats from the authorized insider (which account for 78 percent of all threats). Studies have shown that the majority of data leaks are caused by internal employees.”
Have circumstances changed in the last year due to, as Miller says a confluence of factors? “I remember going to clients in the past and explaining why you need DLP and the reaction was: ‘My employees do not do that kind of stuff.’ Really playing the ignorance card,” says Miller. “Back then, it was almost like a two-sided sword. On the one hand, you want to identify the information that is at risk in your enterprise, but on the other hand if you identify it, then you are almost compelled to do something about it.” In describing organizations’ reaction today for the need of DLP, Miller quotes Warren Buffett’s famous line: It takes 20 years to build a reputation and five-minutes to destroy one. “I think in the last couple years people have realized a data loss event could be that five-minute event that destroys a companies reputation. People realize that there is just too much at risk. It has gotten to this point, over the years, what with the different events getting reported and because DLP solutions are getting better and better. Today people are willing to say this is a problem to address head-on. Let’s go down that route and look for the right solution.”
Assessing Vulnerabilities
What do DLP experts believe to be the best way for an organization to ascertain vulnerabilities? David Setzer, CEO of Mailprotector/VirtualConnect offers this formula: “Total vulnerability quotient is a combination of the volume and level of critical nature of sensitive information retained (i.e. internal financial projections, customer lists, business plans, customer credit card numbers or social security numbers, health data, etc); the number of people that must have access to this information to perform the work of the organization; and the level of control under which these individuals exists (i.e. internal office worker, mobile worker, third-party contractor or vendor).
If an organization is curious about its vulnerabilities, DLP vendors offer services that can help with the assessment. “One way to get your feet wet with DLP is to buy a service where we go in with our product and help customers to define and work with the data owners,” says Bloom. Questions like: What does your sensitive data look like? Which data is more important than other data? Where do you have the sensitive data? are asked. “We really help them get their heads around DLP. We put in the controls and the policies and turn it on for 30 days and offer a report at the end that helps them understand their vulnerabilities. It is a really good way for people to get a sense of what the threats and exposures are and if they do in fact need some type of data loss prevention solution.”
Given the wealth of data that organizations possess, it can be daunting to try to do everything at once. “We go in and try to understand what is the most important thing for an organization to do,” says Miller. “We ask do you want to survey the field, scan and understand what sensitive data is out there? A company needs to understand that scanning big network folders is a different task than scanning desktops. Or do you want to start actively preventing data loss events from occurring? The scanning will identify the sensitive information that is exposed. Maybe we start at the network boundary to make sure stuff doesn’t leave or maybe we do it internally on our message servers so we know that certain things are not moving around internally.”
Once it is it is better understood what needs protection, an organization should handle the information differently. “This type of data must be put under separate access control that would desirably include version control and auditing,” advises Setzer. “When users know all their actions are tracked and logged relative to a dataset it helps promote honesty and diligence. Additionally, it is a good idea to place ‘markers’ into this data that can aid filtering and control technologies to track and quarantine inadvertent or intentional release.”
Proactive Approach or After Breach?
With the market for DLP anticipated to rise, is it proactive companies getting on board? Not always, according to Bloom who reveals, “25 to 30 percent of our deals are coming from customers that have had a breach and they want something right away. Many times customers won’t even do an evaluation—they just buy it. A lot of deals are coming in like that because there are so many breaches going on. Some you hear about, and some that are not publicly available. What do CEOs care about? ‘I don’t want to be on the 7 o’clock news: Protect my brand, and protect my company’.”
Is DLP for everybody? “Yes,” says Miller. The only qualification he offers is that the solutions can be complex and that a small organization might need to be careful about what it expects out of the DLP solution. “Larger organizations have a little more infrastructure to be able to handle these kinds of solutions,” Miller notes, but adds: “It is important for an organization of any size to really understand the activity that is happening in its enterprises without being oblivious to it, which will just expose you inevitably at some point.”
