Well, absolutely preventing data leaks is only possible if the data never goes anywhere. But since data is vulnerable from the time it is created, information managers need to deal with the complexities of securing the data. While this is a large topic, I want to focus on the areas of policy enforcement and user education.
Do you have control over where your agency/enterprise data goes? Are you aware when employees send emails with confidential attachments to the wrong recipients? Do you know when sensitive customer or company data gets posted to external file-sharing sites? Research shows that up to 90% of sensitive data breaches are unintentional but they can be prevented. Organizations with top performance in preventing data leaks are more proactive and decisive with their investments, instead of making reactive purchases to fix a security incident that just occurred.
I was recently talking to someone in IT about network security and employees need to access data. I was concerned to hear that one of the big threats to networks and systems is people who personally implement something like GoToMyPC to access their office desktop/laptop. For those who are unaware this service has you open up a connection from your office PC to a server on the internet. You then use another computer to connect to the same server, and forward commands to your office PC. And it tunnels across port 80 (which most companies allow) so the network doesn’t even know it’s an issue. The problem of course, is that you now have a connection through the corporate firewall from an untrusted service. This could allow an attacker to gain access to the office PC, running under the credentials of the employee, and provide access to any data that the employee can get at. Your corporate IP could start streaming outside the company.
Another issue is with services like DropBox.COM. On the surface it seems to be an easy way for people to share large files when the enterprise does not provide the capability. A problem occurs when employees put confidential or proprietary data on it so they can access it when out of the office or share it with other parties. Again, an untrusted service now has your corporate IP and you don’t know who might be accessing it. Your security department would never be contacted if DropBox.COM discovered it had been hacked.
In my next blog post — Preventing Data Leaks Before They Occur, Part II — I will talk more to the user education and policies that have higher impact on reducing these data leakage threats.