By Tery Larrew, President and CEO, Vericept Corporation
Risks Associated with Information
Today is the "Information Age" based on growth companies information assets and proprietary data. It is collected, preserved, studied, analyzed, disbursed, published, and protected. However, the past few years have seen too many high profile information breaches. Companies in financial services, healthcare, retail, technology, energy and manufacturing have all been victims. Information lost is falling into two definable categories: Company information and Customer information.
Company information, most notably Intellectual Property, customer lists, R&D files, and source codes have been stolen. Quarterly earnings reports and merger and acquisition documents have also made their way into the wrong hands through web mail and online public forums. This can be classified as corporate espionage.
Customer information such as Credit Card Numbers and Social Security Numbers has also been compromised, sometimes leading to Identity Theft. Recently, President Bush signed legislation that toughens penalties against identity theft, a problem that federal officials estimate cost U.S. consumers and businesses over $50 billion last year.
Consequently, HIPAA, GLBA, and California Privacy laws have been passed as well as Sarbanes-Oxley, which regulates governing internal controls protecting investors and ensuring corporate ethical responsibility. As a result, financial reporting must now be strictly adhered to.
With more information being electronically stored and shared, and with communication tools such as instant messaging, peer-to-peer and web-based email being adopted, safeguarding sensitive information has become a challenge for enterprises of all sizes.
There are several forms of enterprise risk damage that a company could face, for instance, regulatory compliance fines, loss of reputation in the market place, and a safe work environment for its employees. It varies between industries, but each company has to ask itself "what is the impact to my business if the below examples happen?"
- If an employee were unwittingly sharing proprietary secrets to an unauthorized user with a Peer-to-Peer (P2P) client which is sharing the wrong folders?
- If confidential or highly sensitive information leaves your network? What would be the financial impact of such breaches and how would you quantify the financial damage to your reputation? Would you be able to pinpoint the specific information being compromised and the offender?
- If the press found out about these lapses in information security?
- If customers or clients knew their information was being sent out unencrypted?
- If an employee pasted customer data into a webmail message and sent it to someone unauthorized to view it?
- If a contractor or consultant were searching on Google for "stack smashing programs"?
- If an employee were sending personnel data (e.g., SS#, home addresses, salary info, etc.) to an outsider via Instant Messaging?
- If a business partner (e.g., payroll processor, insurance agent, clearing house, etc.) were exchanging customer data via an unencrypted email format?
- If an employee unwittingly leaked unencrypted personal information via a Outlook mail message?
- If an insider purposely sent out unencrypted personal information via webmail or IM with data in an attachment, or cut & pasted it into a web form?
- If an employee was creating an illicit child pornography video collection while at work?
- If your systems are successfully hacked? How do you know?
Many companies have identified these gaps in their risk management programs with various types of exposure assessments. What is scary is that no matter who has conducted exposure assessments, 100% of organizations have found that the above issues as well as hundreds more are taking place every day!
A company should conduct an exposure assessment to evaluate the likelihood and potential damage of these threats and determine the relative importance of the risk. The potential cost of the risk should be quantified where possible and the sufficiency of policies, procedures, safeguards, and information systems should be analyzed for their ability to control and maintain security.
Minimize the Enterprise Risk
When researching ways to ensure security of your information assets and proprietary data, the following questions should be raised as you look at the approach, technology, functionality, and application.
- Do you have a way to intelligently monitor, analyze and categorize all forms of Internet traffic, not just email, not just web traffic, not just instant messaging but all electronic and internet-based communications?
- Do you have a way to provide an intelligent, early warning when inappropriate content is found helping mitigate many forms of risk including compliance (Gramm-Leach-Bliley or Sarbanes-Oxley), legal (sexual harassment or discrimination), financial (leaking of sensitive company secrets or information) and more?
- Can you get full content, "proof positive" evidence from your information systems for you to see precisely what types of activity are taking place?
Another approach to finding a strong solution to minimize your enterprise risk is to ask your peers about how they are handling their information security. Business press, trade associations and technology analysis are good sources of information, case studies, and white papers.
There are also software solutions available that can enable companies to manage and monitor these various forms of risk. Several offer exposure assessments that can monitor your network and see your information assets at risk.
Here is an example of a large technology company who utilized an enterprise risk management system to monitor all forms of internet communications, but particularly to monitor and help meet the requirements of Sarbanes-Oxley regulations. Some of the key benefits immediately recognized by the company were antifraud programs and controls specifically regarding:
- Code of conduct and ethics (Section 406)
- Whistleblower program (Sections 301 and 806)
- Fraud risk assessment (Section 103)
The enterprise risk management system also alerted the company to:
1. Potential Insider Tipping
Just prior to a Company's earnings announcement (but luckily after the close of trading), a Sales Employee contacted a third party by email and indicated that the Company would have a great quarter and that the third party should buy stock. This violated the Company's policy as well as federal law prohibits such activity. The email was retrieved along with other emails and the employee was dismissed.
2. Posting of Confidential Company Information on the Internet
Highly confidential Product roadmap information was posted on a message board on the Internet. Given the information, the Company believed that someone in an Engineering lab might be posting the information or providing a third party with the information. The Company conducted an investigation and immediately communicated to all employees a new email policy noting that any email communications are not subject to privacy. Management also described to the employees an enterprise risk management system was being utilized. No similar Internet postings have occurred since the communication of the policy and notification of the software tool.
The enterprise software industry can be greatly impacted by information theft. A financial cost is one example, but there are many areas which can be impacted. For example, in the fiercely competitive computer storage industry, the Director of Security suspected that individuals were leaking sensitive information to its competitors, perhaps instigated from within the company by its competitors. He also believed a competitor with whom they were embroiled in contentious, multi-million dollar litigation had planted moles inside his company to steal highly sensitive, proprietary trade secrets.
By working with an enterprise risk management system, he began to monitor the employee network activity to find the internal source of the leaks. Over the course of two month, he gathered enough actual evidence of the espionage identify and bust the entire ring of six employees involved.
Additional evidence captured included:
- An employee emailing the entire customer list to the competition
- A top executive with access to extremely sensitive company information negotiating for a new job with the competition
- An employee looking for hacker exploits on the network applications and systems used by the client
As you can see, with more information being electronically stored and shared, and with communication tools such as instant messaging, peer-to-peer and web-based email being adopted, safeguarding your sensitive information has become a challenge. Not to mention that these information breaches are negatively impacting stock price, creating compliance exposure and eroding customer trust. What you don't know about your information liabilities can, will, or possibly has hurt your business.
Tery Larrew brings over 20 years' technical and entrepreneurial experience to his role as CEO for Vericept Corporation, the leading provider of information privacy and compliance solutions with over 600 clients. As CEO, he works closely with corporate clients to ensure the security and appropriate use of enterprise network systems. Prior to Vericept, Tery was Chairman and CEO of UPDATE Systems, where he led the company to significant growth and facilitated its successful sale to Webb Interactive Services, Inc., a provider of Internet commerce infrastructure services. Tery can be reached for article feedback at: tlarrew@vericept.com.
