Preventing Data Leakage

Intellectual Property (IP) is perhaps the most important asset for any business. Yet, protection of IP is something that is all too often neglected or inadequate. The key appeal of the Internet is the ability to quickly and easily access and share information. Email has revolutionized the way that businesses communicate, and the Internet has made it easier to reach customers and support products. However, email and the Internet have also made it too easy to leak confidential information – be it either deliberately or accidentally.

A few years ago IDC reported that 84% of data leakage was generated internally, by employees. This loss of confidential data can be both costly and embarrassing. In a recent incident, Apple Computer filed a lawsuit against an employee who posted images of two new products on the web prior to release. The fact that these images appeared on the web before the products were launched was reported to cause a drop in Apple’s share value.

Newspapers are littered with stories about confidentiality breaches: Employees that send product plans to competitors; hospitals that accidentally send patient information to the wrong person; executives that accidentally hit the ‘reply to all’ button and inadvertently reveal information about future acquisitions to third-parties; and more.

A Layered Approach

The key to preventing data leakage is vigilance. Vigilance does not happen by magic. It is necessary to deploy a layered approach to protecting confidential information. This layered approach may encompass policy, education, technology and procedure.

All staff members should be aware of the importance of confidential information and their obligations to protect it. Employees should be trained to know how to handle and distribute information that is confidential or proprietary in nature. This may, for example, mean that certain types of documents should only be sent via email by authorized staff members.

Policies for protecting confidential information really come down to common sense and best practice. Policies can include giving confidential projects code names or putting passwords on confidential documents. The important thing is to constantly remind staff to be vigilant.

Legal Compliance

In addition to the business implications of losing confidential data, there are now numerous legal complications. Regulatory compliance and legal obligations have become key motivators for securing and protecting confidential information. A well known example is the US HIPAA legislation (the Health Insurance Portability and Accountability Act). One of the main aims of HIPAA is to address the security and privacy of health data. This places significant obligations on the healthcare industry to ensure the privacy of patient information. Hospitals, doctors, insurance companies and government agencies all need to share patient information and HIPAA places the obligations for securing this information on these healthcare providers.

This kind of legal compliance requirement is not limited to the healthcare industry however. The financial sector, national government agencies, local government, and education providers, are all seeing increasing legal obligations for securing confidential information.

Acceptable Use Policy

A key part of confidential data protection is an organizational Acceptable Use Policy (AUP). Some parts of an AUP that relate to confidential data are:

Defining Confidential Information

Proprietary information should not be divulged improperly. Highly confidential information, such as company trade secrets, new product plans and sensitive customer or employee information should not be sent out via email or the Internet without encryption. This is typically more a concern for corporate email but accidental confidentiality breaches have occurred via web-based email.

Clarifying Responsibility

You should inform employees that they could be held responsible for the content of all communications they store or send using email or the Internet. All email should be identified with a name or email address; employees should not attempt to hide their identity or place someone else's identity on company communications (spoofing).

Respecting Copyright

Employees should also be informed about copyright issues relating to electronic copies of documents obtained via email or the Internet.

Technology for Preventing Data Leakage

When an organization has clear policies and sound education practices in place, technology can play a big part in protecting confidential information. Encryption is one example. Encrypting email for specific customers helps ensure that information intended for them can only be seen by the intended recipient.

Corporate usage policy can be enforced through customized content filtering of incoming and outgoing email and attachments. Comprehensive reporting of use and attempted abuse gives the organization the knowledge to ensure policy compliance and best use of email and web resources.

Marshal's Enterprise Solutions Help to Prevent Data Leakage

Marshal's content security solutions can play an important part in protecting your confidential data.

MailMarshal SMTP and WebMarshal provide protection by acting as a gateway between an organization and the Internet. MailMarshal Exchange can perform similar functions for internal communications. They allow an organization to restrict, block, copy, archive and automatically manage the sending and receiving of content.

MailMarshal can manage email based on:

• specified attachment types (block, restrict or strip attachments)
• user-defined keywords, using TextCensor lexical analysis to identify confidential content
• messages larger than a specified size
• messages with a specified number of recipients or attachments
• the message source or destination

WebMarshal helps to control the "back door" of web-based email and file uploads.

Both MailMarshal and WebMarshal provide comprehensive reporting on the content that has been transmitted (file, names, sizes, senders or users).

Marshal's products also help to minimize threats to data from spyware (such as key loggers), viruses, and phishing.