Learning from WikiLeaks: What Companies Must Do to Protect Themselves
Much has been in the press recently about the WikiLeaks disclosure of hundreds of thousands of sensitive government documents and cables. Despite the new method of distributing such massive amounts of information via the Web, Knowledge Center analyst Jack E. Gold is amazed that anyone is really surprised. Here, he explains how companies can learn from the WikiLeaks event and protect their company from similar sensitive data exposure.The whole WikiLeaks event speaks volumes about how truly unserious (or worse, incompetent) the United States government is about security. This is not a new exposure area, as companies have been dealing with "data leakage" problems for years. It's not like there aren't lots of tools out there already that can track document access and allow only certain users to view, read and copy files. Security companies such as McAfee and Symantec-and many of the major application platform vendors such as RSA, Oracle, IBM and SAP-have leakage prevention capabilities. Obviously, the government saw fit to ignore these capabilities-to its detriment.
But the WikiLeaks event also brings to light a major security issue with huge implications for enterprises, not just for government agencies. The issue is that the highest probability of data loss or exposure will result not from an outside attack but from inside your own organization. Indeed, right now, the government thinks all the leaks are the work of a single person-a private individual who was able to access millions of files and easily copy them to a CD or flash drive.
It's also very likely that in your enterprise there are many private individuals who could easily access private and sensitive corporate data-your company's most valuable asset. In fact, it's amazing how lax data access rules are in most companies despite the many regulatory compliance requirements such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act (HIPAA). Also, if someone unauthorized did access those files, would you even know about it?