Confidential information released via Wikileaks has sent governments around the world into a spin and put businesses on high alert but one Sydney-based software developer claims to have a solution to the perennial problem of data leakage.
Peter McCallum, founder of Sydney-based security software company Softection, said a combination of lack of processes, security software and an unnecessarily high amount of staff having access to sensitive information leads to data leakage.
“Julian Assange handed me a rainbow as now people are realising they need DLP software,” McCallum said.
McCallum says data loss prevention, or DLP, should more aptly stand for “data leak protection” as enterprises grapple with ways to stop rogue employees from transferring information outside the organisation.
“It’s about managing the movement of data with software, not changing how people work,” he said.
“Our software knows the file, person, and machine and with nine permission levels can determine if information can be captured and sent by an employee.”
Softection started in 2004 and develops a client server application in C++ and Java. Its philosophy is to make computers manage the data and not people.
It also distinguishes between classified and unclassified data in a screen grab.
“The US cables have come out, but there are some 3000 US government employees that had access to that information,” he said.
“Some government departments in Canberra even put glue in the USB ports in their computers to stop employees using USB keys.”
McCallum said “Wikileaks syndrome” is a good way to describe the current phenomenon whereby information is being gathered and dispersed outside an organisation with inadequate DLP policies.
“Make sure the data classification ‘follows the data’ and don’t be afraid to destroy data is it is outside the organisation’s control,” he said.
McCallum said data “at rest” also needs to be protected from prying eyes. So if an employee tried to access sensitive data in transit then it will be blocked.
“What if we took people out of the equation? In other words, took the decision-making power over the actual movement of critical information away from human operators?” he said.
“And what if we looked past the complexity of modern computer systems and found a way to simplify information security down to its core essentials – in other words, manage the movement of information irrespective of the computer systems it resides on, the number or rank of users accessing it, or the number of devices it could possibly be used on?”
McCallum says it’s not the technology, but the process and the concept that has been missing from the discussions since the Wikileaks scandal broke.
“Everywhere I look I see lists of things CIOs should be doing to protect their business information – multifaceted, multilayered approaches; permitter and core protection; DLP; user access controls; policy; compliance,” he said. “All of this is important, but no one seems to be talking about the very thing we’re trying to protect – the information itself.”
“Only by managing the movement of all information going in and out of an organisation can that information be protected against accidental – and not-so-accidental – misuse or abuse. Think of it as putting all the cookies in a jar, and then managing – rather than restricting – the movement of those cookies. Forget the jar, or the people; our only concern is the cookies.”