While malicious users are always on the minds of enterprise IT teams, employees who are sometimes just careless concerns IT teams as well. A recent spate of data leaks attributed to simple human error shows the critical role that data access plays in the protection of confidential corporate information.
Earlier this year, for example, Google blamed human error as the cause of a major data leak it experienced within its Local Business Center (since renamed Google Places). A Google customer that invested in a listing with the search giant found that information on their listing, the search terms people used before clicking it and other related data was sent to third parties. There was nothing malicious about the act; Google describes the incident as an employee simply copying and pasting the information from one template to an incorrect one.
But this does not nullify the damage done. If the information was sent to a competitor, for instance, Google’s customer would have been put at a serious strategic disadvantage and would have likely cut its ties with the search giant. Mea culpas don’t always work in the corporate world, as data leaks can fatally wound partnerships. Confidential files can be whisked around the globe in only a few clicks so it is imperative that enterprises safeguard their sensitive information from both malicious users and their own employees’ carelessness.
Sterling-Hoffman’s data security strategy
The central tenet of Sterling-Hoffman’s data security strategy is that any measure that allows employees to visually recreate documents is useless. Whether it’s copying information on the screen to another file or even snapping a photo using a camera phone, the battle is lost once malicious insiders have data on the screen. Despite this fact, enterprises cannot impose overly aggressive data protection policies because they then run the risk of inhibiting productivity, thus dulling their competitive edge. This is why we have implemented a comprehensive data security strategy that protects information at its source, as well as on primary communications channels, to prevent leaks.
Enterprise Rights Management (ERM)
Enterprise rights management
The first component of our data security strategy is enforced using an enterprise rights management (ERM) solution. ERM allows Sterling-Hoffman to implement automated processes whereby access and usage controls are applied the moment a document is created. While encrypting every document may seem a bit onerous, our clients’ privacy is a huge concern in our business. There could be major professional ramifications if our customers’ superiors knew they were actively seeking employment elsewhere-not to mention stock market implications. For us, it’s better to be on the safe side and ensure the security of sensitive documents.
Similar to many enterprises today, Sterling-Hoffman is fully engaged with the flat business world. Much of our work is both derived and delivered around the globe so our automated encryption tactics serve us especially well internationally. ERM provides files with enforceable access and usage controls to data that is sent from our corporate IT infrastructure to any other third party. Offshore offices and business partners are sources of major data leak vulnerabilities because many countries do not have the business and data security laws we enjoy in the United States.
As it is impossible to monitor how our overseas partners work with the information we provide to them, ERM’s ability to limit how users are able to interact with data (for example, disallowing sensitive documents to be printed or copying/pasting information from one format to another) gives us an additional layer of security outside of pure access control.
The Case for ERM
The case for ERM
Before we implemented ERM, a candidate we were considering for an open position walked into my office for an interview and opened up a binder that clearly contained one of our internal training documents-a highly confidential one at that. The candidate said that he had received the file from an overseas business contact of ours.
This floored me because Sterling-Hoffman has always placed a premium on its data security practices and this was a major hole within our armor. I realized then that we couldn’t share any information overseas or with our partners in good faith until we could protect data at the information level. We began working with ERM shortly thereafter.
ERM also helps address our third-party challenges by placing expiring access dates on sensitive information. This gives confidential information shared with partners, outsourcers and employees a shelf life and cannot be viewed by them-unless given permission from our IT staff outside of a set time frame. Former partners and employees simply cannot access or share data after their engagement with Sterling-Hoffman is over, which is a nice insurance policy.
Regulating Use of Electronic Communications
Regulating use of electronic communications
The second part of our data protection strategy is the regulation of our electronic communications channels including e-mail and instant messaging (IM). For the latter technology, we use Symantec’s IM Manager to protect against IM-related data leaks. The solution requires our employees to apply for IM privileges, as well as go through an application process when they want to add a contact to their profile. This helps us provide the real-time communications tool only to people that need it within their job function or to others who have gone through a similar qualifying process.
Open-source IM applications can serve as major data vulnerabilities because newer versions enable users to transfer files to others without having to pass through the corporate VPN or firewall. IM Manager gives us these assurances and enables us to address this emerging enterprise challenge.
E-mail tends to be a trickier platform to manage because the company is so reliant upon it. Any overbearing policy instilled for e-mail can have serious productivity consequences so we try to keep our e-mail server rules rooted in common sense. Here are two basic ones I can share:
Rule No. 1: We identify certain workgroups with certain file formats (for example, accounting with Excel) and prevent users from sending files in formats other than those with which they work. We’ve also fine-tuned this rule to include certain types of information included within e-mail messages. For instance, a marketing person’s e-mail would be disabled if they tried to send an e-mail message containing Social Security numbers or other Personally Identifiable Information (PII).
Rule No. 2: We also disallow e-mail strings that have multiple reply prefixes (RE:). This type of message is often associated with malicious activities so we prefer not to expose our infrastructure to them.
During the aftermath of economic uncertainty and massive layoffs, poor data security brings the risk of permanent damage to company viability and industrial competitiveness. The difference between market leaders and also-rans is razor thin, so it is more critical than ever to be able to control who has access to sensitive information. A thoughtfully layered security approach that protects information at the information level has proven effective for Sterling-Hoffman and has benefits for enterprises across all industries.
Angel Mehta is Chief Executive Officer of Sterling-Hoffman Executive Search. Prior to Sterling-Hoffman, Angel worked in business development with CRM-software leader Siebel Canada where he established strategic alliances and managed partner relationships. Angel is also a leadership speaker who gives keynotes and motivational seminars at various business schools and conferences across North America. Angel is founder of the Enlightenment Project, an essay competition designed to foster self-awareness and leadership skills for children in Third World countries. Angel has a Bachelor’s degree from York University in Toronto. He can be reached at [email protected].