Data Loss-prevention Efforts Stymied by Poor Processes

Protecting corporate data entails more than securing the perimeter; it requires that companies identify the data to be secured and explicitly define with processes how to prevent leaks. And according to a recent survey, not enough businesses do what it takes to prevent data leaks.

Research firm Enterprise Strategy Group recently surveyed 109 security professionals, on behalf of Reconnex, a provider of data-leak prevention appliances, to learn more about what large organizations do to secure intellectual property (IP) and corporate data shared with partners and other third parties. The findings reveal that they don’t do enough, according to ESG senior analyst Jon Oltsik.

“Although more large organizations are sharing IP with business partners each day, secure sharing depends on tight controls for IP classification, access and policy compliance, as well as knowledge of who is allowed to access which IP,” writes Oltsik in the ESG report “Extending Intellectual Property Protection Beyond the Firewall.” He goes on to say, “The fact is that without consistent definitions of IP and a standard set of policies and processes, there is simply too much room for abuse and human error.”

The survey found that a majority of companies share data with partners. Twenty-eight percent reported sharing a substantial amount of data, 32% consider themselves as sharing a moderate amount of data and another 32% said they share a small amount of data with business partners. Yet 42% of the organizations polled said intellectual property is classified in multiple departments, meaning there is no one standard set of policies and processes.

According to Oltsik, business demands often trump security concerns, and that is reflected in how companies determine which and how much data to share with which and how many business partners. Twenty percent of respondents let business manages decide what data to share, and 27% determine what data to share and with whom on an ad hoc basis. Twenty-seven percent don’t have a formal process, but do assemble a group of IT, security and business managers to come to a conclusion on data sharing, and more than 40% said they have a formal process for determining data sharing.

To stay on top of who is privy to what intellectual property, about 60% of survey respondents try to stay on top of access, usage and other security policies by monitoring firewall and application logs. Another 50% monitor network device logs, and 45% monitor network traffic to detect anomalous behavior. Close to 40% use a security event or information-management product and 17% use data-leak prevention tools. About 30% work closely with partners’ IT and security to collaborate on data access and loss prevention, the survey shows.

But even with tools in place to monitor data access, security and IT teams won’t be able to keep up, Oltsik says. About 20% of the security professionals polled in this survey indicated that they were not confident that they could identify which business partners had access to which data.

“There is no turning back at this point; driven by proven financial benefits, business managers will want to share their IP with a growing number of business partners,” Oltsik writes. “Unfortunately, these business processes will lead to a lack of control and increasing risk. CIOs must establish a standard enterprise process for IP classification” to minimize risk.

By  Denise Dubie, Network World (US)