Information is the most important and valuable asset to your business.  Without it, you are just a bunch of people who get together to talk (or email or tweet or ____).  Once you develop, use and maintain a common set of knowledge, processes and expertise, you create intellectual property that is valuable.  Whether that information is the specs on machine tools or the source code for your next software application, if you lost it, you’re business could be in jeopardy.

Information exists in many places.  You write it on paper, it’s stored electronically in documents and files, it’s in databases and it’s in people’s heads.  Most of it is in electronic documents, since this is how we maintain the collective knowledge of our organizations.  We used to be storytellers, but then we started writing things down so we could remember and pass them on.  With so much critical information inside businesses, there is too much to remember without writing it down.

Organizations significantly invest in protecting networks, but are they doing enough to protect their data and records?

Literally almost every day there are announcements about significant data breaches, the most recent being the current WikiLeaks episode.  For years organizations have invested more and more in technology to protect their networks (both externally and internally) as well as for spam protection. Of course this is important and is the right thing to do.  You certainly want to keep people from being able to access and manipulate your network; however there is a chicken and egg syndrome here.  In most cases, the reason internal or external people want to breach the network is to access important data/records.  So it makes sense to put as much focus on protecting the actual data/records as on protecting your network access.

I read an interesting article recently about India’s plans to build a new computer operating system.  Their main goal is to enhance the security of their computer systems – they want to deter and prevent hacking.  The Defence Research & Development Organization (DRDO) is developing the new operating.  India’s current dispute with Research In Motion for greater access to communications for BlackBerrys is an example of their security concerns.

This got me to thinking about how many commercial operating systems exist and if they are secure.  We have Microsoft Windows, Apple OS X and numerous flavors of Linux for desktops and laptops.  For servers, we have Microsoft Windows Server, Mac OS X Server, Oracle Solaris, and all the UNIX and Linux variants out there by IBM, HP, Novell, RedHat and a hundred other companies.  Then we have the mobile operating systems – Apple iOS, Blackberry OS, Android, Windows Phone OS, Symbian, Palm OS and the list goes on.

The headlines this week makes reference to a fairly minor theft of healthcare records at a Los Angeles Clinic. The incident involved a janitor selling 14 boxes of computer reports for $40. The theft exposed 30,000 patient records. Although minor, this incident highlights several major issues that we have covered in our blogs over the last several months.

First, the possibility of a data breach caused by a trusted employee should be on every CEO’s list of threats that could cause significant harm to their business. The 2010 Verizon Data Breach Report states that 48% of data breaches occur as a result of employees stealing confidential information.  That’s a 26% increase from 2009. The primary motivation for stealing highly confidential information is typically personal financial gain. There should be little doubt that many employees are feeling the impact of the recession and selling confidential information to your competitors or other more sinister buyers such as organized crime could provide a means for holding off the creditors.

Just when you thought you had the corporate crown jewels under lock and key it now appears that veteran CIA spies can moonlight and help your competitors determine what is going on inside your company!  I just finished reading a book titled “Broker, Trader, Lawyer, Spy” by Eamon Javers.  In his book Javers details how companies are employing CIA Agents to spy on their competitors.  Using cutting-edge technology, age-old techniques of deceit and manipulation, and sheer talent, spies act as the hidden puppeteers of globalized businesses.

Because the US Federal Government cannot pay these seasoned employees enough compensation, they are now permitted to use their skills during off hours.  This permits them to leverage their experience and techniques, such as reading the body language of CEOs during interviews to see if they are telling the truth.  Javers discusses a theory called “cognitive dissidence” which says that when someone attempts to hold two conflicting ideas in their brain at the same time, normal people will display noticeable patterns of discomfort.  The human brain will do almost anything to avoid this discomfort and will attempt to do or say things to circumvent the truth.  The classic example is Bill Clinton’s “There is no affair” and “It depends on what the meaning of the word ‘is’ is.”  Agents trained to detect body language and innocuous activities can detect valuable information that would otherwise go unnoticed.

Did you ever wonder if your customer lists and other confidential data is walking out the door when people leave the organization?  Here is something that I came across when working with a client.

This organization uses multiple FTP and other file sharing sites to share documents internally and with partners and customers.  Some of these are sanctioned by the organization, but many aren’t.  The reason there are so many is because IT is very busy and hasn’t gotten around to creating an easy-to-use collaboration site for everyone.  They also make it very difficult to implement anything as basic as a secure collaboration site without having to get vice presidential justification and jumping through hoops.  There are Windows file servers for some internal projects and Microsoft SharePoint sites for others.  People use email, free sites, like drop.io and YouSendIt, and FTP sites to exchange documents with outside people.  Employees have resorted to “roll your own” because of the IT can’t meet the need in a timely way.

Enterprise Digital Rights Management (EDRM) is a growing and important part of securing an organization’s information.  The traditional methods of using firewalls and intrusion detection systems are good at keeping the bad guys out, but not so good at keeping those on the inside (the good guys?) from leaking important documents.  EDRM encrypts documents and controls access to them even after they leave the security of your firewall.
  
Data Loss Prevention (DLP) is good at filtering content by searching for things like social security numbers and preventing that information from getting out.  But it’s not good at preventing sensitive documents from walking out the door on a thumb drive or other removable media.

While visiting with a client last week they were discussing an upcoming company cruise that will be taking place this October.  The event includes over 500 employees and their spouses.  The company sent an Excel spreadsheet to each employee that requires information such as Passport number, Social Security Number and credit card information.

After completing the form one of the employees mistakenly hit reply all and his information was instantly sent to over 500 people, most of whom he does not know.  Without a way to revoke the rights to the file his personal information was exposed.

Another client’s Human Resources department had a new administrator access an Excel spreadsheet from the department’s network directory.  The visible cells showed the employees’ names and phone extensions.  Thinking this would be helpful information for company employees the administrator emailed the file to all employees. Little did he know that the hidden cells contained salary, stock option and other confidential information.  Not sure what happed to the administrator but needless to say the company had significant issues to deal with.