“In our experience, most firms are far from addressing it,” says Phil Neray, vice president of marketing at Guardium, a database threat and security monitoring firm. “These companies have hundreds of systems installed around the world but very few installed to protect intellectual property.”
“The risk level is still very high,” says Steve Roop, vice president of products and marketing at Vontu, one of a slew of smaller DLP (data-leak prevention) firms.
According to data accumulated from Vontu risk assessments on customer networks, approximately 2 percent of all sensitive or confidential files are exposed to theft by unauthorized personnel, and around one of every 400 e-mails that leave a company exposes sensitive data — either sent to an unauthorized recipient or sent to an authorized recipient in an insecure form that can be sniffed or otherwise stolen.
Companies usually overlook that exposed data because their security posture is still focused on network perimeters, not on what might be going on behind the firewall or even over secure connections with business partners and suppliers, says Paul Stamp, an analyst at Forrester. “The perimeter around data is shrinking. Between joint ventures and collaborative [business to business] stuff and remote users, the perimeter has become highly porous.”
Exposure via business partners and third-party contractors is a top concern at Communications Data Services (CDS), a subscription service bureau that’s part of Hearst, says Paul McCarthy, director of information services. In its databases, CDS maintains files (including credit card numbers) for 155 million active subscribers to publications such as Better Homes and Gardens, U.S. News and World Report, Vogue, and Readers’ Digest. Much of that sensitive data comes to CDS through channels that can be difficult to police, such as agents and third-party contractors, as well as over the phone and via the Web, McCarthy says.
Securing critical data that may be used in a variety of contexts is a daunting prospect for any enterprise. But the harsh reality of regulations such as Sarbanes-Oxley and the PCI (Payment Card Industry) data security standard are helping set priorities for enterprises that might otherwise remain in denial.
In particular, Sarbanes-Oxley’s requirement that companies audit the access of privileged users to sensitive data — and PCI’s requirement to track user identity information whenever credit card data is touched — are pushing companies to home in on where sensitive data resides and how it is being used, Goldschmitt says.
At CDS, PCI and Sarbanes-Oxley prompted the company to take a close look at all of its processes for handling subscriber data, McCarthy says. In addition to doing its own SAS (Statement on Auditing Standard) 70 audits of internal security controls, CDS is regularly audited by third parties.
Increasingly, audits are forcing enterprises such as CDS to push security measures closer to where data resides, whether on laptops, in databases, or in shared directories, Stamp says. It’s a simple prescription but one that’s difficult to implement because most companies start out with a hazy understanding of what their sensitive data is, let alone where it resides on their networks.
“Companies wake up and realize, ‘We don’t know anything!’” Goldschmitt says. “We’ve had companies come to us and say, ‘We have 20,000 data servers and absolutely no idea which of them have sensitive data on them’.”