Most security threats come from inside organizations, but many violators don’t even realize they were doing something wrong, according to speakers at a panel discussion on data loss prevention.
In a recent user survey conducted by IDC, 56 per cent of respondents said e-mail was a source of confidential e-mail links.
Brian Burke, IDC’s program director for security products, presented the survey results during a Webcast Thursday, dubbed Back to School for DLP Education, hosted by Symantec Corp. of Cupertino, Calif.
More than a third of respondents identified Web mail or posts to Web sites as sources of breaches, while 19 per cent cited iPods and other devices that plug into USB ports.
“Three or four years ago companies simply did not know, didn’t have visibility to the fact that employees were committing these errors,” Burke said. “The fact that they’re actually aware of it now and they see it as a major driver signifies a major shift in the level of knowledge out there that this insider threat really exists.”
Web mail was also a concern for Sharp HealthCare, which operates seven hospitals in San Diego. The company’s technical security architect, Starla Rivers, said her organization has a total of 16,000 users, some of whom are doctors working for outside organizations and want to send patient data to Google Docs.
“We’re concerned about patient data going across an HTTP connection, it’s not even an HTTPS connection – and getting posted to Google, out of our control.”
Rivers said another major concern is the prevalence of U.S. social security numbers used on patient records.
“We have widespread use of social security numbers throughout the health care industry,” Rivers said, adding her company also gets confidential information about employees from firms over e-mail.
“The employers are often small, they don’t have the compliance background that we have and they don’t have the tools in place to send data securely, or they don’t use the ones they have,” she said.
Transmitting confidential information over the Web is also an issue for First Advantage Corp., a Poway, Calif. firm whose services include background checks on prospective employees, including including court records, employment history, liens and judgements.
“The biggest challenge we have is our company is we process a lot of personally identifiable information, whether it’s background checks, credit checks or drug testing for large employers,” said Kam Golpariani, First Advantage’s vice-president for security risk management. “We do everything we can to protect our customers data and we have to consider every type of device or system or exit point within our environment to have a good grasp on it overall.”
Although regulatory compliance was cited as important by most respondents to IDC’s survey, protection of intellectual property was also a major driver for DLP technologies,
“We’ve talked to a company that makes wall board,” Burke said. “We talked to a company that makes toilet paper, and these guys are very concerned about their intellectual property – how their product gets put together, design schemes, research plans and things of that nature.” The potential for data leaks through USB ports is real, Burke said.
“I have a 30 GB iPod,” he said. I could download the entire IDC research database and still have room for Desperate Housewives.”
Another problem is social networking tools, and 80 per cent of respondents to IDC’s survey said they view Web 2.0 as a concern.
“Newer employees coming in to work don’t use e-mail,” Burke said. “They use IM, they use wikis, they use social networking. They bring these tendencies into the workplace”
At Sharp HealthCare, employees who violate information security rules are given some kind of warning, Rivers said, either automatically generated by the monitoring tools or by a person.
“If you send something sensitive out of Sharp, you’re getting an e-mail immediately saying ‘Oops, you just did a naughty naughty,’ and we’re giving you the policy you violated.
Users are given links to references on the company intranet which explain the policies and how to comply with them.
She added after being confronted, the violators usually say they don’t even realize they were breaking a rule.
“They always seem surprised they were called on it,” she said. Sharp HealthCare has to meet different data retention and audit requirements for different organizations, she said.
For example, their labs are certified by one organization, which requires references to social security numbers going back three years, while the financial department gets audited by Medicare, which requires records be kept for 10 years.
“DLP has helped us determine where the data resides, who’s using it, who really needs it, how long must it be retained, because it varies across the organization depending on what government agency is involved in that particular department.,” she said. “.I can’t have a single data retention policy. One size does not fit all here.”
It’s especially important not to make it too difficult for health care workers to access patient charts, she said.
“We have to balance patient safety with patient data protection,” she said. “We have data that must be immediately accessible to the care givers and any delay in that could affect patient care.”