Security: Don't Spring a Data Leak

July 12, 2006 from Baseline – “The most notorious snafu: The U.S. Department of Veterans Affairs disclosed in May that it lost data on 26.5 million veterans and their spouses plus 2.2 million active military members when a worker's computer was stolen out of his home. Other organizations that have reported thefts of computers with sensitive data include Aetna, American International Group, Ernst & Young, Equifax, Union Pacific and the YMCA.

Even the Federal Trade Commission, responsible for enforcing privacy laws, disclosed in June that a laptop with unencrypted private data on 110 people was stolen from a car used by its attorneys.

From February 2005 to mid-June 2006, such security breaches have exposed information on more than 88 million individuals, according to the Privacy Rights Clearinghouse, a San Diego privacy advocacy group.

"Everyone spends a lot of time focusing on external threats," says Gartner analyst Avivah Litan, "but most of the threats are either from insiders or employees who take data home. It has nothing to do with criminals hacking into your databases."

Litan says many organizations are unprepared for accidental or deliberate data breaches: She estimates that businesses today encrypt less than 10% of all sensitive customer data. A survey this year by research firm Ponemon Institute, sponsored by encryption vendor PGP, found that 4.2% of companies use encryption across their entire enterprise (as opposed to only in select departments).

Litan predicts that companies will be fast-tracking security projects to prevent information assets from leaking out, including deploying software that stops any sensitive data from being e-mailed or copied to any outside party or device.

"Pretty soon, there's not going to be any employee privacy—everything is going to be monitored," she says.

Regions Financial, for one, has taken steps to seal the cracks. The 25,000-employee company, which operates 1,300 bank branches in 16 states, encrypts the entire hard drives of its thousands of laptops. (Zimmerman wouldn't name the encryption software Regions is using or say exactly how many laptops it maintains.)

Is scrambling every bit of data on every laptop overkill? Not to Zimmerman. "I can guarantee you that there would be confidential information on almost every laptop in the organization," he says.

But the danger of data leaks obviously extends beyond portable computers. Regions also uses software from Vericept to monitor all outgoing e-mail to make sure it doesn't include confidential information. The software uses statistical analysis on text in messages and attachments to find content that violates the company's policies. Most often, transgressions are accidental, Zimmerman notes: "People don't realize they've hit 'reply to all.'"

Some I.T. executives say portable storage devices—namely, thumb-size USB drives—scare them more than the possibility of a laptop vanishing. "If you were stealing something, why would you carry a laptop out the door when you could throw data on a 60-gigabyte USB drive?" asks Jim Brockett, chief information officer at Washington Trust Bank in Spokane, Wash.

Washington Trust this year plans to deploy software from security vendor NextSentry that will prevent any of its 900 employees' computers from using USB storage devices, and will provide other monitoring functions like flagging e-mail for certain keywords and phrases (say, "account number").

"We're not informing users about [the project]," Brockett says, "but we've let them know we have the right to monitor them."

Another lesson from the rash of data losses in the headlines is that "user education" is only effective to a point. It's certainly true that employees should be regularly updated on good data-handling hygiene. But no amount of education will eliminate careless mistakes or stop a disgruntled employee from violating a policy. Security technologies like encryption and digital rights management software, which controls access to specific pieces of content, can act like seat-belt laws—to help computer users from hurting themselves.

"We can do training, we can do policies, but unless we monitor every laptop every single day, there's no way we can control what people put on their laptops," says Jacob Mays, assistant vice president of information technologies at Stillwater National Bank and Trust in Stillwater, Okla.

To make sure no data can be read on a lost or stolen computer, the bank fully encrypts all of its 80 laptops with PGP software, a measure it initiated last year. Employees must enter a password before Windows even boots up.

Like seat belts, security mechanisms have to be easy to use. "You can talk until you're blue in the face about the need for it, but unless it's practical, people aren't going to use it," says Jason Elizaitis, director of information technology at Fairfield Greenwich Group, a New York-based asset management firm.

Fairfield Greenwich Group, which manages $10 billion in assets for high-net-worth individuals and institutional investors, uses Liquid Machines' Document Control digital rights management software at six offices worldwide. The software lets employees encrypt and assign privileges to documents (such as flagging them for "internal use only" or "do not print"), using a drop-down menu that is installed in the menu bar of Microsoft Office applications.

Why hasn't every company on the planet put in similar safeguards?

Cost may be one issue. A sophisticated digital rights management system, for example, can run to $500 per employee, while content-filtering packages start at around $25,000. Encryption products have entry prices of $125 to $300 per employee; vendors in this market include PGP, Pointsec Mobile Technologies, Utimaco Safeware and WinMagic.

Microsoft promises to bring encryption to the masses in the forthcoming Windows Vista operating system, which includes a feature called BitLocker that can automatically encrypt a PC's entire disk.

Meanwhile, some I.T. managers still have a perception that deploying and managing encryption products is extremely complicated, says Andrew Krcik, vice president of marketing at PGP. "There's still a hangover from people having looked at encryption seriously five years ago and said, 'It's way too complex,'" he says.

Stillwater National Bank's Mays found setting up and managing laptop encryption straightforward, requiring employees to leave their laptops overnight to perform the initial full-disk encryption. He was at first concerned that the PGP encryption software would slow down the machines, but found that on any laptop less than three years old, "there's not a noticeable performance hit."

To Zimmerman of Regions Financial, the justification for encryption and content-monitoring measures boils down to this: What's the company's reputation worth? As Zimmerman puts it: "Whether we lost one record or 1 million records, our credibility with customers would be shot."

5 Steps to Prevent Data Loss

1. Guard against human error. Use security technologies, such as data encryption, as a safety net for honest mistakes.

2. When in doubt, encrypt. All laptop hard drives should be encrypted.

3. Monitor outgoing messages. Use software to block e-mail messages or file transfers with confidential data.

4. Ensure security is easy to use. Otherwise, employees will find ways to get around it.

5. Audit security practices regularly. Experts say such reviews should happen at least monthly.

180 View – We replicated most of this interesting article. Good policy, training and the right tools can go a long way to mitigate the risks.