Organizations spend millions of dollars on perimeter and infrastructure security, but very little on protecting their data and content. Traditionally the goal has been to keep out the bad guys, be they hackers, criminals or someone intent on mischief. Organizations have always assumed that anyone who is already on the inside can be trusted. Unfortunately that doesn’t seem to be the case anymore.
According to a Gartner survey of 1,500 worldwide companies, businesses spend an average of 5% of their total IT budget on security. The spending goes toward firewalls, intrusion detection systems, anti-virus software, virtual private networks, and a variety of other hardware and software systems. These tend to focus on keeping unauthorized traffic off the network. Since a number of the data breaches reported in the news have come from compromised databases, there is an increased focus on locking down that data. While that’s very important, most organizations are not paying enough attention to the content inside electronic documents and email.
Most database management systems can encrypt the data inside the database, which lends a level of protection to the information. For organizations dealing with customer data, it is not just a matter of protecting privacy but also complying with regulations such as the Payment Card Industry Data Security Standard (PCI DSS). It’s important to protect data inside a database, but increasingly the problems come from information stored in documents. Whether you are in Healthcare and worried about medical records or a manufacturer worried about a CAD drawing for your latest product, documents are your lifeblood.
Security experts recommend using a layered approach to information security. The four key layers are:
- Perimeter Defense
- Server Protection
- Host Protection
- Information Protection
This approach includes physical security, access control, computer security, network security and encryption. The first three layers focus on preventing access to systems and applications. Information protection covers the actual data or content inside your systems. The only effective way to control and protect your content is to encrypt it.
This layered approach is an outside in look at the world. It assumes that people wishing to compromise your systems are outside your organization and its network. The recent stealing of US State Department information by US Army Private Bradley Manning shows that insider threats are as important as external threats. The US government has very effective systems to keep malicious outsiders from penetrating their networks, but there was a failure at preventing an insider from downloading thousands of sensitive documents.
Controlling and protecting your content is the only way to safeguard your and your customer’s information. If you encrypt the data in your databases, that’s a good start. If you don’t encrypt your documents, you need to start doing that. Using full disk encryption is useful to help prevent problems if a laptop or hard drive is stolen. Unfortunately that doesn’t help you if you want to share documents inside your organization or with partners and customers. Using persistent protection makes sure that documents are secure when at rest, in transit and in use. Policies control who has access and when. If a sensitive document gets into the wrong hands, you can revoke it’s access rights. That’s as good as shredding a paper document.
Take a look at your IT budget and see how much you are spending on protecting your content. It may be a lot lower than you think.
Photo credit Affiliate