Higher value, freer flow
"This is a problem of the evolving value of data," says Marv Goldschmitt, vice president of business development at Tizor, a data auditing and protection firm. "Data has taken on a value beyond what it originally had, and individuals don't know how to deal with that," he says. Moreover, the migration of almost all intellectual property and critical data to purely digital form, as well as the interconnectedness of corporate networks with each other and the Internet, stand in the way of discovering when data has been pilfered or that anything has gone awry, Goldschmitt says.
Security experts are painfully aware that clamping down on insider threats and data leaks is an order of magnitude more difficult than stopping malware. And while recognition of the data-security problem is spreading fast within enterprises, very few have taken steps to lock down their sensitive data and intellectual property.
"In our experience, most firms are far from addressing it," says Phil Neray, vice president of marketing at Guardium, a database threat and security monitoring firm. "These companies have hundreds of systems installed around the world but very few installed to protect intellectual property."
"The risk level is still very high," says Steve Roop, vice president of products and marketing at Vontu, one of a slew of smaller DLP (data-leak prevention) firms.
According to data accumulated from Vontu risk assessments on customer networks, approximately 2 percent of all sensitive or confidential files are exposed to theft by unauthorized personnel, and around one of every 400 e-mails that leave a company exposes sensitive data -- either sent to an unauthorized recipient or sent to an authorized recipient in an insecure form that can be sniffed or otherwise stolen.
Companies usually overlook that exposed data because their security posture is still focused on network perimeters, not on what might be going on behind the firewall or even over secure connections with business partners and suppliers, says Paul Stamp, an analyst at Forrester. "The perimeter around data is shrinking. Between joint ventures and collaborative [business to business] stuff and remote users, the perimeter has become highly porous."
Exposure via business partners and third-party contractors is a top concern at Communications Data Services (CDS), a subscription service bureau that's part of Hearst, says Paul McCarthy, director of information services. In its databases, CDS maintains files (including credit card numbers) for 155 million active subscribers to publications such as Better Homes and Gardens, U.S. News and World Report, Vogue, and Readers' Digest. Much of that sensitive data comes to CDS through channels that can be difficult to police, such as agents and third-party contractors, as well as over the phone and via the Web, McCarthy says.