wallix.com

Home > News & Events > IS News > IS News > Leaks of confidential data

Friday, 22 January 2010 10:08 administrator
E-mail Print PDF


Leaks of confidential data:
a concern for IT security managers


We often hear about thefts of confidential data, and major companies frequently hit the headlines with stories about enormous quantities of confidential customer data being lost or stolen. Depending on the type of data lost, the damage may harm a company's reputation, hit revenues or even lead to exorbitant financial penalties in the form of fines or legal proceedings. Costs can quickly reach millions of euros.

Most of these losses are accidental.

With e-mails containing more than 80% of a company's contact details, it is not surprising that the main concern of businesses is the loss of confidential data via e-mail. 95% of data loss through e-mail is unintentional: someone accidentally selecting the wrong recipient using the e-mail client's automatic search function, for example. Unfortunately, the disclaimer notice about unintended recipients and confidentiality does not reduce the importance the media place on the situation; nor does it not really reduce the legal liability of the company.

Most of these losses are accidental, except that...

Let's face it! If a disgruntled employee or a malicious subcontractor decides to seize the company's confidential information, there is not much you can do to stop them. Data loss for malicious purposes does not happen through e-mail, but through photocopying, USB sticks, burning data to CD/DVD and theft of physical property. No system for preventing data leakage is perfect!" says Jean-Noël Galzain, CEO of Wallix.

At our many meetings with IT security managers, we are able to discuss leaks of confidential data from their businesses.

The prevention of data leakage, also known as DLP (Data Leakage Protection), is very popular among publishers of security solutions. What do their potential customers think? Listening to IT security managers freely discussing the subject, we cannot help but notice the gulf between what the market offers and the issues raised around the table.

According to the vast majority of IT security managers we have interviewed, there is simply too much information in the company for control to be possible. "It seems very difficult to me to define overnight who can access what level of information. We can do it at application level, but the real difficulty lies with information. We do not know how to approach it in our company," said one security manager.

And although secure solutions do exist among DLP vendors, managers are disappointed by their relatively small scope for action."These solutions still appear immature. They take no account of the fact that the legal period for conserving information varies from one country to another, of tape archives, or of the fact there are still enormous amounts of paper storage," declares Jean-Noël de Galzain.

Between incomplete security solutions and information management and search solutions that are efficient but insecure, IT security managers are still waiting for the convergence that will save the situation." Another limitation is that DLP solutions still mainly operate in non-real time, which is also a disappointment for IT security managers. We cannot control compliance with our security policy in real time. Of course we log everything that happens, but this is for auditing later," confirms one of the IT security managers we spoke to. However, real-time operation is a target for software publishers.

The human problem

Alongside the concern over information spreading comes the problem of adapting DLP to the daily life of the company – it seems difficult to ask employees themselves to evaluate the sensitivity of the documents they create. And yet human classification is an essential part of any effective solution. "Our users are cautious, and they don't usually think that what they write may be confidential. Or else they just don't think about it," continues one security manager. His colleagues agree, and some even go so far as to say that very few people in the company could effectively evaluate confidentiality. Despite this, people are more than ever at the heart of the solution. IT security managers have understood this, and all of them insist on awareness-raising sessions for new employees and new external service providers.

Finally, all of them point out that although data leakage solutions can help avoid accidental failure to comply with the security policy (the most common scenario), they feel powerless to deal with malicious behaviour within the company. They say that this requires different tools from the ones currently available from DLP vendors. For some, it starts with more effective control over administrator rights (root, databases, Windows/Linux administrators).

Last Updated ( Tuesday, 23 February 2010 14:19 )  
IT & Security Portal» IT-Observer
Network Security and Technology - IT-Observer
  • Websense Wireless Security Expert to Present on Emerging Security & Web Content Threats in 3G at QuEST Forum EMEA
    Websense, Inc. (Nasdaq: WBSN), a global leader in web security and web filtering productivity software, today announced that Mark Fogel, vice president for Websense(R) Wireless, a Division of Websense, Inc., will be giving a presentation on Emerging Security & Web Content Threats in 3G at the third annual QuEST Forum (Quality Excellence for Suppliers of [...]
  • AI-based Security Appliance Stops MySpace Email Scam
    Espion has announced the discovery of the first email-based MySpace Spam Scam. At 5:35pm EST an email was trapped in our unprotected honey pot. At the same time an identical email was stopped by Espion´s Interceptor anti-spam and security appliance. The trapped email looks like a legitimate message from MySpace with the subject reading [New message [...]
CNET News.com
Tech news and business reports by CNET News. Focused oninformation technology, core topics include computers, hardware, software,networking, and Internet media..
CNET News.com