Complacency in Information Security Management

However, from a FBI survey it has shown that approximately 80% of incidents and threats to information integrity have more recently been through insider activities.

These events include stolen identity, loss of intellectual property, loss of customer information, and leakage of sensitive information. Indeed, the latter incidents can be damaging enough to compromise an enterprise’s position with shareholders. Leakage of client information can attract the additional attention of the ombudsman, usually resulting in negative publicity and heavy fines.

Complacency regarding the risk of insider activity is often down to lack of knowledge. Information users lack of an understanding of security risks and information owners lack an understanding of how best to minimise the data loss risk. Outdated or poorly designed procedures can cloud visibility for the information security stakeholders, making the task even more daunting. This paralysis embeds a culture of “what we don’t know can’t harm us”, and instils a dangerously false sense of reassurance for management.

The relationship between information leakage instances and reputation damage can seem tenuous before the event. In today’s real time and responsive world, the level of awareness by the general public regarding the risks may have taken Government Departments by surprise. Despite arrogant denials, the resulting loss of credibility and bruised reputation are undeniable. The probable imposition of fines would seem entirely justified.

Information security stakeholders will have heard the saying before that prevention is better than cure, and now Data Leakage Prevention (DLP) is on the lips of more CISOs and even CIOs in many boardrooms. However, really smart DLP solutions can be prohibitively expensive. How does an organisation step up to address all areas of risk and potential leakage events?

Chasing the most recently highlighted vulnerability points – be they unencrypted data on CDs or high-capacity USB music players is almost certainly not the answer. Piecemeal solutions set the business up to fail to address the problem in the long term, particularly after the next information leakage point adds a vulnerability to the corporate risk register.

The use and application of security policies is a useful step in the right direction but this approach can be easily compromised if you can not enforce or prevent user mistakes or malicious activities, in real-time.

An effective security policy is to be gauged by its impact in countering an operational security risk. There has to be considered any negative impact on users ability to easily access and share information necessary to undertake their work and add value to the organisation. The application of a general policy to one user may have a negative impact on their productivity and if not applied to another user could create an unacceptable security risk.

One of the most effective ways to address some of these dilemmas, especially within large organisations is to passively monitor activities and determine who is associated with areas of risk and what policies need to be applied to specific users and user groups. Ideally for this task to take place, a low impact tool needs to be easily applied to enable wide audit visibility.

If logs are collected from monitoring user activities they can be analysed for management reporting to determine specific areas of and the best countermeasures to be applied.

The only solutions that prevent the most information leakages are those that are universal and continuous in managing changing environments. The emphasis is for passive monitoring underpinned by creating active alerts in real time with prevention only when needed.

This brings into discussion the question of easily categorising data and what levels of categorisation need to be identified and applied. Who makes these decisions on classifications of data and what is the value of specific data now and in the future? Do you need to change and apply different policies and at different times for different users? The ideal solution must cater for this level of complexity without creating a heavy administration task.

Is it therefore complacency or a lack of knowledge or lack of a solution that is the problem for today’s terminal networked enterprises? The one thing one can guarantee there will be more new technologies and devices that will enable easier access to more information through networking anyplace and anytime.

The challenges of DLP are going to increase and be even more demanding. Perhaps we should not just rely on our regulators to force the pace of change in addressing DLP. The smarter organisations will secure data ahead of tightening data security rules, proactively they will become more competitive in how they use and manage information as genuine information safe house for their private and business communities.

For more information or a copy of our “Information Threat Prevention and Returns” whitepaper, please contact Intelligent Wave at www.iwieu.com/contact/index.htm.

Intelligent Wave Inc. Founded in Japan in 1984 and continues to develop its presence on a global basis by providing proprietary software to solve business problems in key areas of credit card payment and card management systems. This has enabled the company to progress in the provision of information security systems protecting all digital assets from insider threats and information leakages. The company develops its products and services for distribution on a regional basis in the Asia Pacific, Americas and EMEA regions. In 2001 the company became listed on the JASDAQ.

Intelligent Wave Europe. See www.iwieu.com, or call +44 (0)20 7246 2590, or email info@iwieu.com.