Denial of service attacks, viruses, spyware and phishing schemes may be the best-known corporate security threats, but vendors are pushing products designed to address “content security” holes.
The content security market is huge. Infonetics Research Inc. of Campbell, Calif., forecasts the market for content security appliances and software will be US$2.4 billion in 2010. Sales of content security gateways were US$392.3 million during the third quarter of 2007, up four per cent from the previous quarter.
One area of content security is commonly referred to as data loss prevention, though the term is a bit of a misnomer (as is another term, data leakage), because the threat is not from losing data permanently. Data leakage is when employees copy data on to portable storage devices or send it to someone else by e-mail.
Vendors say users should be concerned, because employees saving data on to portable storage devices could be sharing trade secrets or other confidential information with competitors. Companies could also put themselves at risk of lawsuits if employees copy sensitive personal or corporate information — on customers or workers.
To address this concern, some vendors are pushing products that prevent employees from copying information to their own devices. For example, Vericept Edge, made by Denver-based Vericept Corp., has detection and classification software designed to look for sensitive data on desktop and notebook PCs, and blocks the unauthorized use of USB drives and iPods. It can prevent users from opening and saving sensitive files to local drives or USB drives, and can audit workers when they do save these files.
But employees don’t need USB memory sticks or iPods to cause data leakage. Data can leak out in other ways — through phone conversations, photocopies, or simply when an employee takes handwritten notes and passes it on to others. In fact, if an employee has malicious intent and even a tiny bit of IT knowledge, he or she is unlikely to save sensitive data on to a USB memory stick (or iPod or CD) or e-mail it, knowing his or her action can be detected.
When we’re talking about sensitive information, we often think of medical information, sensitive financial records or trade secrets. But some seemingly innocuous documents, which may be saved electronically, can actually contain sensitive information. For example, do your workers ever handle invoices from self-employed contractors? Do these have their social insurance numbers or residential street addresses?
IT or business managers who fret over employees with memory sticks or CDs should ask why the workers are using these devices. Could it be a simple (though crude) method of backing up data? Have you ever heard complaints from workers that he or she could not access data saved to a shared drive? Do some workers need to catch up on work at home?
If you don’t want your employees backing up data on to their memory sticks or CDs (or e-mailing files to themselves) you need to educate them on your company’s policies. For example, senior managers could say, “If the computer system crashes and you have lost all of your work, you are not responsible for reconstructing this in any way.” Or they could say, “We guarantee if the system goes down, your work will be retrieved with no delay.”
If you can’t provide such assurances to your workers, and you also tell employees they are prohibited from saving data to USB sticks, you’re putting your workers between a rock and a hard place. Who would want to work in an environment where critical data is saved electronically, on a system with unreliable backup and recovery?
When forming content security policies, IT managers should always consider what they prescribe in the context of their backup and recovery measures. Before rushing out to buy a content security product, ask whether it will actually prevent data leakage.