It is vital for all organizations (government and industry) to recognize that the most leak-proof firewall in the world would not have prevented the recent top-secret government cables from walking out the door on a CD. The biggest security threats to your organization are internal.  Proper data protection--meaning encryption at the file level-- is the only way to prevent the "sneaker-net" threat.

Recently a top research scientist with a US pharmaceutical company walked out the door with all of his company confidential research on a flash drive and moved to China to produce the drug. I am sure he made himself a pretty penny.  Again, the tightest firewall could not have prevented this corporate espionage.

The US Chamber of Commerce estimates the cost to organizations of the negative consequences of security breaches or intellectual property loss,at $250 billion per year.

Enterprise Rights Management (ERM) enables organizations to manage, monitor, and enforce policies governing the access and use of data at rest, in motion, and in use. Security policies for access and use are embedded directly into the information itself, providing companies with the security they need and where they need it. According to CIO/Insight, no legacy solutions have been able to address the ‘unstructured data’ security dilemma like enterprise rights management.  Click here to read more on Getting Data Protection Right.

Your data may be secure when it is at rest or in storage. It may be secure when it is in motion inside and outside the enterprise. However, do you know if it is secure when used by an authorized user? Most companies cannot answer this question.

The reality is that data breaches occur at an alarming frequency and with a huge impact, especially when you consider how quickly unstructured data multiplies within the routine operation of most organizations. Unfortunately, even a single breach or data leak can cause egregious harm to a corporate brand and reputation – and cost millions of dollars in remediation, competitive loss, legal fees and regulatory fines. In 2008, the average cost of a data breach was $6.65 million according to a study by PGP Corporation and Ponemon Institute. The US Chamber of Commerce estimates that intellectual property loss accounts for $250 billion per year.

That is why information security management is a serious business mandate. It is a moving target, driven by both business innovation and threat innovation. Compounding this challenge are the escalating demands of citizens, consumer groups and government legislators for dependable security.

In other words – it is imperative to get information security right. Enterprises cannot afford to let mission critical information or privacy-protected data walk out the door, and unfortunately no company is immune from insider fraud and malicious leaks of confidential information. As reported by Gartner, 84% of all security breaches come from an insider, so truly effective solutions must keep insiders honest and trustworthy. Trade secret theft and economic espionage are a few of many other internal and external attack methods, and the volume of such attacks has grown significantly in recent years.

Therefore, enterprise security solutions must be smarter and more dynamic to provide real protection, improve operational efficiencies and reduce cost. The best approach would include intelligent unstructured data management strategies that effectively combine counterintelligence methodologies with an enterprise rights management (ERM) technology platform. A hybrid solution such as this means risk is truly minimized without compromising collaboration and performance.

The Challenge of Unstructured Data Security

Arguably the largest problem most enterprises face is unstructured data security. A company’s unstructured data and documents represent a treasure trove of free-flowing ideas, innovation and often sensitive information that is not properly managed. Think of the hundreds of data types stored in documents such as PDFs, Microsoft Word and PowerPoint files, emails, web pages, scanned documents and audio or video files. These data forms are multiplying rapidly, as is the volume of data contained.

This kind of information also provides a competitive advantage that can be legally protected as a trade secret if it is properly identified and managed. As stated in the Sarbanes Oxley Act, trade secrets are financial assets, which means if they are lost, stolen or compromised, a ‘material change’ has occurred, which requires that investors and shareholders be notified. Similarly, when privacy-protected information is stolen or compromised, federal and state regulatory laws come into play. If you are in charge, you are accountable.

So how big is the challenge? Studies continue to show that unstructured data represents 85% of a company’s overall data, and more than 50% of it is sensitive or mission critical. The vulnerabilities resulting from the mismanagement of unstructured data is a key factor in the enterprise information security question.

To handle the problem, counterintelligence methods should be integrated into any information security management approach. The goal is to get inside the activity stream of an enterprise, to identify threats and vulnerabilities, and to close gaps and strengthen the security culture so it becomes more preventative, preemptive and predictive. The counterintelligence model is developed first by conducting a review of policies, procedures and work practices and takes seven important categories into account: HR, organization, assets, process, technology, physical risk and performance. However, an optimal solution entails more than just this: it combines the counterintelligence model with enterprise rights management (ERM) technology platform.

Choosing the Right Platform: Enterprise Rights Management (ERM) Technology and Data Loss Prevention (DLP)

Two predominant technology platforms have emerged to secure unstructured data, information and content: Data loss prevention (DLP) and Enterprise Rights Management (ERM). DLP solutions are reactive and presume that critical data and information assets within the enterprise environment are unknown. Parameters must then be created to identify such information so that security policies can be enforced. Essentially, security stems from minimizing the opportunity for sensitive information to leak from its source. ERM solutions, on the other hand, are proactive in nature and presume that critical information assets are known. Security policies that determine who may access those assets and what actions they may apply to them are easily enabled and transparently enforced.

Essentially, ERM changes the security paradigm. It enables people to share information in support of collaboration and productivity while at the same time providing dynamic centralized policy controls that persist beyond the firewall and wherever the data resides. Information is fully encrypted at all times, and the processes are transparent to the end-user with no adverse effects to work practices.

To accomplish this level of information control, the ERM solution provides three types of security: protection, control and audit. The document and its content are encrypted while at rest, in-transit and while in use. Additionally, data on the clipboard is protected at all times. Enterprises control who has access to the data. ERM also ensures that audit capabilities track user attempts to access unstructured data and reports on what they have done after accessing it.

Better access and collaboration platforms generally provide better business results – but complicating this approach is the exponential increase in mobile devices, virtual workstations and the general portability of information. Forward-thinking enterprises must look for smarter ways to accomplish the dual goals of portability and security.

So what is the ERM Solution?

The ERM solution protects a file in such a way that policy keys are used to encrypt it. When the file is accessed, the local agent authenticates the user, decrypts the file, but blocks actions that are not assigned to that user in the policy protecting the file. Documents remain protected on both sides of a firewall and can only be accessed by authorized users.

However, an effective ERM solution should also provide policy propagation. This means when an authorized user accessed a file, functions like copy paste, save as and PDF conversion remain available to the user. Policy protected content can be copied and pasted from a secure document into an unprotected document and remain securely protected. This protection even transcends different applications, which represents real security in action.

The bottom line is that an optimal scenario enables people to share information in collaborative and highly distributed work environments, while at the same time securing the information through dynamic centralized management controls that persist beyond the firewall. This is a daunting task, and the key is fusing together a solution that encompasses technology, security and people.

ERM solutions close a huge gap in vulnerability by providing security to data in use. Until now, there has been no way to secure it. According to Gartner, it will not be long before enterprise rights management will be adopted as a default solution – another mega-trend in security evolution. Benefits of this solution include granular control over actions that may be applied to data, enablement of data sharing and protection, access to detailed visibility in the enterprise’s data flow, and more.

The Benefit of a Counterintelligence Model

In government, counterintelligence is the function if identifying and stopping foreign spies and terrorists. Every terrorist attack, for example, is preceded by an intelligence operation in which attackers gather information that is then used to develop and execute their plan. Agents must get inside the intelligence stream to stop the attack before it occurs. The same is true of commercial enterprises: security professionals must get inside the activity stream to identify and close gaps that put the enterprise at risk.

A counterintelligence officer or group collaborates with security stakeholders across the enterprise yet operates with autonomy to provide independent oversight and segregation of duties in security management. Its purpose is to identify internal and external threats to mission critical assets. The formulation of a risk treatment strategy is derived from an assessment and comprehensive analysis of policies, procedures and work practices.

One of the reasons data leakage is occurring with alarming frequency is not because organizations don’t have security policies and procedures, but because they fail to adequately train their employees, monitor their actions and enforce policies when they are violated. Counterintelligence takes a lead role in assuring that security is executed according to plan. Among other tasks, it develops specialized training as a requirement for persons with access to sensitive assets, monitor operations for compliance and assures that enforcement practices are fair and consistent. A good defense is a strong offense.

Bringing It All Together

A plan that combines ERM and the Counterintelligence Model (CM) is optimal. Enterprises can glean business intelligence, extract unrealized value, and bring order and security to an otherwise vast sea of unstructured chaos and risk.

For a solution that incorporates ERM and CM, discovery is the first step. This means identifying data and information assets. However, not all unstructured data is worth protecting, so the next step involves determining the risk to the enterprise if security is compromised. What is worth protecting must be identified, classified and labeled to reflect the designated security handling requirements. This stage of the solution, called defining, involves identifying critical information assets, processes and applications that are vital to competitive advantage, innovation, profitability corporate governance and regulatory compliance. The next step is creating a plan that combines the discovery, assessment and defining processes. The plan should also include a management plan and schedule, vision and deployment strategy, current stat risk assessment review and implementation roadmap. Finally, the enterprise is ready to enter the implementation phase which includes carrying out the first stages of the plan, training personnel and configuring new settings. Because security is a process that requires continuous review, analysis and improvement, improvement must be sought during every step.

Conclusion

In today’s distributed business models and ever expanding chain-of-trust, there are no guarantees when it comes to security. But one thing is for sure—companies cannot afford to get data protection wrong. Good security is ubiquitous and occurs long before the end-user is granted access to critical information assets. By combining enterprise rights management with the counterintelligence security model, organizations can raise the bar on security management to unparalleled heights.

Rather than protecting the information ‘container’ alone, it is now possible to embed security into the information itself. When this occurs, an organization’s prescribed information access and use privileges can be centrally managed, monitored, and enforced when the data is at rest, in motion, or in use. Ultimately, this means that senior executives can roll the dice and take a gamble that point solutions will be sufficient, or they can adopt a holistic approach and get it right—Rights Managed that is.

Bryan Reynolds is co-founder and managing partner of Sitrof Technologies, a document management and data protection consultancy. Reynolds brings more than 15 years of experience in enterprise content management, business workflow, imaging, records management and knowledge management. breynolds@sitrof.com

Click Here to Download White Paper "GettingDataProtectionRight"

The law upon which the action was based, the 7th Amendment to the PRC Criminal Law, was promulgated on February 28, 2009 by the Standing Committee of the National People’s Congress. It includes provisions imposing criminal penalties for the infringement of personal information security, specifically targeting two types of infringement: (i) the sale or illegal disclosure of information obtained by personnel in government agencies or financial, telecommunications, transportation, educational or medical institutions in the process of performing their duties; and (ii) the theft or illegal access of personal information by other individuals.

In both types of conduct there are severe consequences for infringement, including imprisonment for less than three years, detention for less than six months, and/or the imposition of a fine (as a single penalty or concurrently with other penalties). In the event that an entity is convicted of infringement, a monetary penalty shall be imposed on that entity, and the officer directly responsible and any other persons who may be directly responsible for such illegal acts shall be subject to the same criminal penalties that are applicable to natural persons.

According to news reports, in December 2008 the defendant in this case, Zhou Jianping, a resident of Zhuhai, Guangdong Province, illegally obtained the phone numbers and call history records of 14 government officials and sold these phone numbers and call histories for RMB 16,000 (approximately US $2,353). The purchaser, in conspiracy with six other people, then used this information to impersonate the government officials and extract RMB 830,000 ( approximately US $122,060) from a variety of relatives.

The defendant did not appeal and the judgment took effect December 14, 2009.

Liquid Machines, a leading Enterprise Rights Management (ERM) solutions provider, is dedicated to advancing the protection of critical business content and audit usage while enabling collaboration. They have developed Document Control and Email Control solutions which allow organizations in highly regulated industries to securely share information within any application, wherever it goes, and throughout its entire lifecycle. Their software solutions leverage a unique combination of rights management, encryption and next-generation monitoring technologies for compliance in a single solution that secures all and every vital content. This is accomplished through the combination of centrally-defined data access and information usage with Liquid Machine’s trademarked Policy Droplet control interface to simultaneously promote a collaborative environment and protect sensitive information without effecting the way users work.

Liquid Machines ERM solutions take information protection beyond full disk encryption by ensuring that policy protection is disseminated during standard information use. Their solutions provide effective security measures at the information-level for shared data. For files accessed by authorized users, standard functions such as copy, paste, save as and convert to PDF remain available; however, any new resulting information maintains the original security settings. Additionally, content remains safe in the case that it is copied and pasted from a protected document into an unprotected one, even across different applications.

To further protect data leakage, all methods of content distribution, i.e. copy/paste, email, network transfer, files, printing, etc., are logged and controlled. Liquid Machines’ solutions also provide robust audit trails and reporting capabilities in order to provide authorized users with all details regarding exactly who accessed what regulated information and when.

Security of information is critical to all corporations and is one of the many areas of competency established with Enterprise Risk Management. The weakness of traditional risk management is the focus on historical precedence rather than forward looking investigative approach. For example, the number of cases reported historically leads corporate IT to the usual suspects such as external hackers. This leads to heavy investments in systems infrastructure and many times overly burdensome security restrictions that interfere with daily business activities. Unlike traditional risk management, Enterprise Risk Management avoids this silo mentality by using a root cause approach to take a comprehensive view of risk. The root cause method looks at risks, such as information security, from all angles including processes and relationships as well as people, systems and external sources. Enterprise Risk Management recognizes that the chain is only as strong as the weakest link. Over investment in one area without the others is understood as not a good use of resources.

Leading corporations are quickly adopting Enterprise Risk Management for this reason. However, some corporations are slow to adopt Enterprise Risk Management best practices and extend their programs to line management. According to a recent survey, although 70 percent of corporations say they intend to adopt Enterprise Risk Management in the next few years, many organizations have not met their Enterprise Risk Management goals. The following true story highlights the peril of not putting urgency behind rolling out an Enterprise Risk Management program to operational areas across the enterprise.

ChoicePoint is the largest data broker that assembles personal information records on all of us. ChoicePoint, like so many corporations, make assurances on data security. They probably truly believes that they are aware of all risks facing them as they claim and also believe that their organizations are effectively addressing those risks as needed. Certainty of conviction should not be mistaken for investigative knowledge, especially if that investigation may rely on a flawed process. According to a recent New York Times article, “Keeping Your Enemies Close” for years, ChoicePoint’s top management had assured the world that it carefully protected its databases from intruders: “Our systems are bulletproof. Intruder-proof. Believe us.”

However in February 2005, according to the New York Times, ChoicePoint had to acknowledge that it had focused so intently on preventing hackers from gaining access to its computers through digital back doors that it had simply overlooked real-world con artists entering unnoticed through the front door. This year, the Federal Trade Commission hit ChoicePoint with a $10 million fine, the largest civil penalty in the agency's history, for security and record-handling procedures that violated the rights of consumers. The ChoicePoint operations process for approving business partners was vulnerable. Fraudsters were officially becoming business partners by exploiting ChoicePoint's business process and practices. That kind of vulnerability can best be uncovered by using risk assessments conducted by the operations team which is typical of an Enterprise Risk Management approach. The more rigorous the Enterprise Risk Management framework used to conduct this assessment the more effective and valuable the results will be. Process-driven software with embedded frameworks can help create a repeatable and sustainable process.

Lessons learned from this story:

1) Roll-out your Enterprise Risk Management charter to your line managers

2) Use root cause as part of self-assessments to understand the source of risk

3) Use best practice risk indicators that are forward looking in nature to uncover risks

4) Develop clear measures of the penetration of your Enterprise Risk Management program

5) Measure the progress of your Enterprise Risk Management program roll-out and don’t allow the timetable to slip.

Review lesson number one or your successor may be doing that for you.