Most enterprises scan their inbound e-mail for unwanted content but too many still ignore outbound e-mails that could result in lost intellectual property as well as legal and compliance issues.
Compliance regulations mean that most large companies in the banking and financial sector have already got to grips with issues surrounding data leakage but other industry sectors have a lot of catching up to do, according to security firms.
Patrick Peterson, vice president of technology at e-mail security firm IronPort, told ZDNet Australia on Monday that US regulations such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA), have meant that companies in the banking and financial sector are leading the way. These regulations also impact upon any firms conducting business in the US or with American companies.
"Outside of the targeted verticals, those requirements are not very mature but you can hear the footsteps.
"I think in the next two years all major enterprises and certainly all publicly traded companies in the US -- and shortly after in the UK and Australia -- are going to have at least the basics for data leakage," said Peterson.
Paul Ducklin, head of technology in APAC for Sophos, said that part of the data leakage problem could be solved if companies took advantage of features already included in their e-mail scanning hardware and software.
"People buy gateway products to religiously and scrupulously scan their inbound mail but they don't bother doing the same thing to their outbound mail, which seems crazy.
"Considering your outbound mail volume is generally a lot less than your inbound mail -- unless you are a spammer -- the extra load of scanning your outbound mail is almost irrelevant," he said.
This was also the view of Nick Hawkins, vice president of sales in APAC at Marshal, who claims that allowing the wrong information out of the corporate network could be more damaging than letting malware in.
"If you get hit by a virus then yes, it is going to impact you but it isn't the end of your business. However, if you are sending out company assets, that can have a massive impact," said Hawkins.
IronPort's Peterson said that administrators could start preparing for change by monitoring the types of files going through the network perimeter and scanning documents for phrases and terms that could potentially cause data leakage.
"How many executables are leaving? How many Word documents with [sensitive terms] are leaving? Who is sending them? You don't want to block any of it and don't want to tell the auditors and compliance group yet but you do want to be prepared," said Peterson.
Again another fantastic example of journalistic rubbish! How much did IronPort and Sophos pay to have their message delivered as an objective, talented piece of tech journalism?
Disclaimer: I’m a 15 year veteran of IT and more specifically IT security so I’m all for organizations for managing their risks, however (sorry for the age old IT security idogim folks) but throwing technology at what is a human problem does not work.
Ok lets get hypothetical. I’m a senior director of a significant company, and we’ve just invested some serious dollars in implementing inbound / outbound email content filtering, so we’ll know when our top sales guy is about to jump ship because he’ll be emailing himself or others our key client data. Wait, he opts to use an anonymous webmail account but wait, its blocked. Our fantastic web filtering solution that we implemented last year blocks access to webmail accounts like Yahoo, AOL, MSN, gmail etc. So he then turns to copying it to his USB flash drive, but again his efforts to steal our companies sensitive data is thwarted, and forget about burning it to CD or DVD that’s also covered by the same security technology. So what now? Print it out? But our printing infrastructure logs all print jobs of information that is classified as sensitive – risky business!
OK reality check, apart from the military and a few departments within some companies, are such measure necessary or even cost effective. It just doesn’t make sense to suck dry the IT budget by implementing a myriad of threat management technologies that are aimed at addressing specific or a class of threats If people want to leak the data, they will and one key point that the journalist and vendor seem to miss is what does key, sensitive, IP based data and content look like?
I recall implementing such a solution several years ago, only to re-configure the solution to only look for spam and signs of viruses etc. There were too many false positives / negatives and emails that needed to get through didn’t and emails that shouldn’t did. But more importantly the client did not want to go to the effort of understanding what data was important to them, whilst also defining an acceptable usage policy that stated emailing sensitive (ideally classified and labeled) data was unacceptable.
My final point, stop bombarding the market with statements about various US legislations without actually understanding what they actually mean to Australian businesses. I would argue that there are far more important controls and technologies to invest in before you start looking at the mentioned technologies from IronPort and Sophos. The sales teams of most vendors are rarely staffed by veterans of the industry, but rather transactional sales people aiming to hit their quota by selling licenses (Symantec / McAfee are great examples). These roles don’t attract people who want to sell solutions aligned with your business problem, they can’t afford to do that, the sales cycle is too long and they’ll miss their numbers resulting in no job. Most of them just flog the standard rhetoric of their HQ marketing people and flog on the concept of Fear, Uncertainty and Doubt (FUD). Works fine when you have a population of 300 million, lots of gullible people with more money then sense and who’ll happily eat up the FUD.