Report: Plugging Data Leaks Is High Priority

By Lisa Vaas  |  Posted 03-05-2007

In the wake of incidents such as TJX's potentially massive loss of data to theft, reported in January, it shouldn't come as a surprise to find that 90 percent of companies plan to plug in new technology to secure electronic copies of intellectual property in the coming year.

That was one finding of a report from Enterprise Strategy Group, issued on March 5, entitled "Intellectual Property Rules." ESG surveyed 112 organizations, each with more than 1,000 employees, for the report.

One of the findings that surprised ESG was how big the IP problem is, according to Eric Ogren, a security analyst for ESG.

Protecting PII (personally identifiable information) such as the credit card numbers, Social Security numbers and other pieces of user and customer data are actually not the top priority with most organizations, Ogren said. "We asked upfront, what do you consider to be intellectual property?" he said. "What they want to protect is financial information, contracts and agreements. Only after that is PII."

Other IP that companies are looking to protect include, in order of reported priority, source code, competitive intelligence, internal research data, design specifications, customers' PII, trade secrets, CRM (customer relationship management) databases, patent documents and sponsored research data.

What's tough about protecting such data is that it comes in so many different forms. Much of it doesn't fit into a neat fixed-format, as would Social Security numbers or credit card numbers, for example. Instead, it comes from all over the network. Specifically, ESG's report shows that in the surveyed population, 21 percent of IP resides in corporate e-mail; 17 percent lives in corporate portals or intranets; 34 percent is stored in application databases such as SAP, Oracle or SQL Server; and 28 percent is kept in file systems, including spreadsheets, Word documents and the like.

"If you think e-mail is your only issue, you're only solving 20 percent of [the] problem," Ogren said.

Tremendous resources are being spent to search for networked IP, Ogren said, in terms of both manual and automated procedures. According to the report, 78 percent of those surveyed search for electronic versions of IP at least once a quarter.

"Which is a major investment of time and resources," Ogren noted. "It's in many different forms, in many different places, communicated with many different protocols."

Click here to read about how info thieves are targeting the enterprise.

As for the biggest perceived threat when it comes to data loss, either malicious or sloppy insiders scare the respondents the most. Twenty-four percent of responders pointed to malicious insiders as the biggest threat to their IP falling into the wrong hands, while 34 percent feared that the problem lies with negligent insiders—an employee who just wants to do her job but doesn't understand the risk of IP that hangs around in her laptop, for example.

Only 20 percent of respondents think that hackers are their biggest threat in this regard. The balance of threats are seen as coming from lack of security oversight (17 percent) or lack of distribution control (5 percent).

The report puts forth four best practices for leakage protection.

First, ESG recommends, enterprises should define comprehensive requirements for IP and PII at the same time. Protecting against leakage of one protects against leakage of the other, the company maintains.

It's also necessary to segregate IP protection duties, according to ESG. That means empowering security teams to provide independent oversight of operations, including monitoring insider use of information.

ESG also suggests automating discovery of IP, to cut down on the time and money currently being devoted to it.

Finally, ESG recommends network-based solutions over distributed end-point software. "I don't think end-point software is going to solve it—it can't reside in all the places IP resides," Ogren said.

Check out eWEEK.com's for the latest news, views and analysis on servers, switches and networking protocols for the enterprise and small businesses.