If you ask Websense Inc. whether most Canadian companies are as secure as they think they are, the answer is a resounding no. According to a study commissioned by the San Diego, Calif.-based software firm, the vast majority of those interviewed as being confident in their security policy and technology, a confidence that is misplaced, the company says.
The reason Websense is most concerned is that a large portion of the data lost, as reported in the survey, was accidental. This included posting to social media sites, taking files offsite on insecure mobile devices and transferring files to flash drives. “Considering all of these things that are happening, we wanted to find out, are the IT managers ahead of the curve from a confidence level or are they getting stressed out and going around the bend?” Fiaaz Walji, Canadian country manager for Websense Inc., said.
What it suggests is implementing DLP (Data Loss Prevention) software, like its Data Security product, that prevents users from forwarding, copying or moving data that fits into a predetermined set of filters. James Quin, senior research analyst at Info-Tech Research Group Inc., said this is DLP’s strength. “DLP makes it harder for (hackers) and what it’s really really good at is ensuring those accidental data losses,” he said.
Walji said it might not be just IT managers that are to blame for being overconfident in data security. “Part of this confidence can be blamed to vendors. If you think about all of the myriad of smaller vendors that have one or two point solutions … it might be part of a vendor issue (where they say) ‘yeah, we’ve got that covered, we’ve got that covered,’ which leads (managers) to this overconfidence,” he said.
Quin agreed that DLP can be a valuable and viable tool in fighting data leaks but he’s not ready to call it security’s silver bullet. “It’s not going to replace things like encryption by itself, but it is a great addendum or supplement to those tools,” he said. “Now when I say it’s not a silver bullet, that statement is there because if someone truly, maliciously wants to steal your data, they’re going to find a way to do so.”
Quin said that even though DLP is effective in keeping employees, and even executives, from copying or forwarding the wrong kinds of files and data types, if someone really wants to access your systems, it can’t be the only line of defense. “You can stop them printing it, you can stop them dumping it onto a USB key, you can stop them emailing it or IMing it, but you can’t stop them writing it down on a piece of a paper and a pencil,” he said. “You can’t stop them taking a photograph of their screen, showing the data.”
The study said losing sensitive company data was actually rated by managers as a larger stress than “getting a divorce or losing their jobs.” Walji said companies have to look beyond just limiting what devices can access what and what kinds of Web sites employees can visit; they have an onus to identify what information they store would be the most catastrophic if leaked (customer records, credit card numbers) and focus on creating as many technical and policy-based blocks as possible to keep it safe.
The report is part one of a two-part study, the conclusion of which will be released in March 2012. Websense Inc. commissioned Abergavenny, Wales-based Dynamic Markets to survey 2,000 IT professionals in Canada, the U.S. and Australia.