Finding out your perimeter security is about as effective as a sieve is a chastening experience. Monster.com is the latest IT service company to suffer large-scale leakage of sensitive data from its disk drives. Not surprisingly the major IT consultancies are offering guidance and advice on how to deal with the data breach problem, and focusing on insider leak prevention (ILP).
Symantec and Accenture have an alliance that includes looking at ILP issues. They state, "It is hoped customers will use Accenture and Symantec's Security Transformation Services, to build and implement data security projects for organisations grappling with the increasing complexity of managing risk in their IT environment."
Both Forrester and Accenture have ILP awareness-raising efforts underway.
Forrester has a focus on information leak prevention (ILP) with a Forrester Wave study released last year which looked at several vendors.
Thomas Raschke is a Forrester senior analyst specialising in the subject of data leakage. He views the insider threat as being serious, that is employees, people inside the perimeter, deliberately or accidentally revealing sensitive information. They may lose laptops or remove information on USB sticks. Rashke says: "it's down to users making mistakes or acting intentionally. The traditional external security focus doesn't work," as it tries to keep bad people out.
In the insider threat situation companies need to think of extrusion prevention, not intrusion prevention. He says that there have been several US start ups in the last couple of years with: "ILP products applying policies based on content and context. They aim to deny data movement in an illegitimate business context."
However, it is still very early days in this new IT product sector.
The problem is that: "You need to know what to protect in order to protect it." He says that traditionally IT data security is a security officer problem but that, in instances such the Monster one above, it rapidly becomes a CEO-level problem.
There is a difficulty in scaling the size of the problem represented by ILP. Raschke has no financial cost estimates of such data loss and says that the reputational damage can be severe. He says: "The banks can't afford it."
There is a difficulty with accepting this assertion as no authority can identify banks or other financial institutions who have lost customers in any numbers through ILP. For example, there is no evidence that Nationwide in the UK has suffered any customer loss because of its publicised data breaches. Banks are used to being resented and disliked by their customers
Apparently though, TK Maxx has suffered customer loss since its major data breach in the USA, both in its online and in its bricks-and-mortar businesses. This was a gigantic breach with 45.7 million credit and debit card details stolen from the site. However, this was due to intrusion, not internal leakage. So while ILP must be theoretically a potentially serious problem there is no reasonably satisfactory estimate of the actual size of the problem.
This point is worth bearing in mind as Raschke's prescription for dealing with it is large scale: "We're moving to putting protection around the data itself, like a wall around the data itself. ILP impacts people, processes and technology."
We are more mobile in our working than ever before. Therefore putting protection around the data would allow the mobility that companies need.
Imagine though, how you go about this protection based on content and context. You must know the content of files on your storage systems. That means petabytes of information spread across the whole organisation needs to be surveyed and have its component parts classified, looking, for example, for credit and debit card numbers, national insurance numbers and so forth. This is a gigantic new exercise in data mining.
You need to know the context of the access: who in what role and in what circumstances they are trying to access particular types of information. It means the creation of hundreds, possibly thousands, even tens of thousands of policies governing who can do what with which pieces of information in which circumstances.
Now try to put a cost on this potentially vast and multi-year ILP effort and bear in mind that the organisation proposing you do it hasn't been able to quantitatively size and scope the problem. If their proposal was a business plan which you were being asked to finance it's doubtful if you would support it. Perhaps though, the reputational effects of a data breach due to insider action can be so affecting at the CEO-level that normal rules don't apply.
It's probably better to subsume ILP into general data security efforts.
(A presentation deck used by Raschke can be downloaded here.)
Stuart Okin, a senior executive at Accenture, also has a focus on ILP. He says: "There is a lot of (fear, uncertainty and doubt) around this. Has there been a major impact, a large company disappearing because of it? No." He asserts that it has happened to smaller companies. Again, no examples were cited, but: "Nobody wants to be the first."
Accenture also has the same difficulty as Forrester in putting a cost figure on insider data breach instances.
Teresa Park, a security project manager at Accenture, says that data breaches can generate operational costs, such as those pertaining to new card issuance. Companies want to avoid this. She said that some banks were trying to recover their TK Maxx data breach-related costs from the company.
Okin says ILP is not yet a major presence on the radar screens of Accenture's clients. When it is then a substantial effort is undergone: "They are more focused on privacy issues. But when they work on a complete information store classification effort, outside the military and government sphere, then it is a multi-year effort."
Okin is keen that security should be presented positively, saying: "Security has moved on from 'let's disable it' to something else. Business doesn't want security to be a disabler any more. We must maintain flexibility in the business."
There is a distinct difference here between physical security measures and the measures that the consultancies are saying should be presented as enablers. For example, no companies selling razor wire to stop thieves breaking in to warehouses would present it as business enabler. It's vicious wire to stop villains breaking in. Similarly any physical security measures to have staff show badges at office exit reader stations and CCTV recording are not presented as business enablers. They are just their to make life hard for intruders trying to get out.
Yet if Okin tries to talk at this level to CxO level people they will stop him. He quotes one supermarket director who stopped him in mid-flow during a security presentation and said: "My job is to sell baked beans. How will what you are selling help me to sell more baked beans?" Hence Okin's assertion that security must be presented as a business enabler.
Sitting outside the boardroom as this writer does, one cannot imagine the same director stopping a physical security consultant in mid-presentation and asking how his prescription of razor wire perimeter fences and CCTV cameras would help him sell more baked beans. If he did then we might reasonably ask if that director understood the problem. In other words, asking how an IT security initiative could help him sell more baked beans is evidence of directorial silliness and naivete, not boardroom focus and cutting to the chase.
That is the problem here. A supermarket director will well understand the cost implications of product leakage (insider theft) and delivery lorry hijacking. But that person won't understand the cost implications of ILP - because no-one does. It is an unquantified problem, and possibly, an unquantifiable one.
In this circumstance, selling services to help prevent ILP as a preventative for actual and possible reputational loss is a sound sales tactic. CxO-level red faces are not wanted, but how much money should you spend on avoiding them?
Raschke pointed out, there is a tension between providing business flexibility in an unfettered way and providing absolute security. One affects the other.
User education is a vital thing. We all take special care of certain kinds of paper. It is kept in one place, mentally counted in and out of that place, and only passed on to other people in carefully controlled circumstances. We all do this, everyday and everywhere and we are so used to it that the inconvenience isn't noticed anymore - but then five pound notes and wallets are thoroughly well understood.
Okin and Raschke both agree that executives can be quite undisciplined, copying data to USB sticks with gay abandon. In principle it would seem that there is little impediment to raising executive awareness so that they treat sensitive data and USB sticks in the same way as they treat five pound notes and their wallets.
Okin said that training in data security and privacy must be certified at the individual level inside Accenture, otherwise promotion prospects are impacted adversely.
ILP is a very grey, a very fuzzy area. Preventing data breaches in general is a simpler thing. Okin suggests that: "We are moving to a world where we encrypt everything." That would sort out the lost laptop/stolen desktop/mislaid USB stick problem. It would also make intrusion much more difficult as the hacker would need to accomplish the access and get a decryption key.
But, he works for a consultancy after all: "There is no single panacea for any of this."
Calum Macleod, European director for Cyber-Ark, thinks differently. Referring to the Monster breach he said: “The worst part about the data hacking is that it could so easily have been avoided, had the job seeker's website encrypted the personal data of its millions of users.”
Why can't point solutions work? After all, a branch office will simply buy a new lock if a branch office door is found not to have one. No supplier would suggest a root and branch security assessment as a response to such an event.
Raschke says: "Point solutions are okay if the risk assessment says so."
Park disagrees: "They are like a swipe card drive and users have to buy a new card and it has to be maintained and so on. It's not a simple thing."
What is clear about consultancies and ILP is that they will say it is a complex problem, that qualitatively it is potentially severe, that 'solutions' to the problem can be business enablers and that their special brand of directorial-red-face cream is affordable because 'your reputation is worth it!' It's the L'Oreal skin cream product strategy - and possibly about as sensible.
Remember though, that no large business has been shown to have suffered any substantial cost due to internal data breaches. The TJK case is not relevant to ILP and nor is Monster. Before undertaking any million-pound plus project to assess your ILP vulnerability and devise potential measures to mitigate it, have the proposer put you in touch with one or more companies that suffered at least that cost due to an ILP event.
You may wait quite a time before they come back.