From President Bush's plan for victory in Iraq to bank earnings accidentally pre-released, an increasing number...
of embarrassing and costly electronic document leaks are receiving more than their 15 minutes of fame.
While few involve proven acts of industrial espionage, the resulting media attention often does more damage than the actual incident. Since regulations including HIPAA and states' data security laws require companies experiencing data leaks to notify anyone affected by such breaches, misdirected or unprotected e-docs now trigger a media feeding frenzy each time an announcement is made.
For instance, the pharmaceutical industry learned -- thanks to the "track changes" feature in Microsoft Word -- that drug giant Merck had edited a study prior to its release by deleting data linking its arthritis drug Vioxx to an increased risk of heart attacks. Also, hidden document data in the White House's National Strategy for Victory in Iraq revealed that it had actually been written by a Duke University political science professor.
"The cost to brand reputation is often more costly than any fine or regulation," said Brian Burke, research manager for IDC in Framingham, Mass. "Nobody wants to be on the front page."
For that reason, Burke said, digital document security has become a hot market with lots of new vendors. What was a $254 million market in 2004 is expected to grow to $1.9 billion by 2009.
Companies try to keep data safe from the outside world, but the majority of leaks are accidental, inside jobs. Brett Schklar, vice president of marketing for Denver-based content control vendor Vericept Corp. said that about 80% of the leaks are unintentional, but it's the other, intentional 20% that account for the most damage. The key is awareness and prevention.
"Companies have adopted and embraced the Internet," said Schklar, "but how many times have you sent an e-mail to the wrong person, or the wrong attachment to the right person?"
He said that companies have not really focused on what's going out. When Vericept performs its exposure assessment to find leaks, 90% of the time it finds something that was intentionally released but never should have been -- something serious enough that it should result in somebody getting fired.
Joe Fantuzzi, CEO of San Francisco-based document security vendor Workshare Inc, agrees that the vast majority of document release cases are inadvertent. Sometimes it's files being taken by people leaving a company without wrongful intent, and sometimes its accidental distribution.
"A simple PDF does not protect information. It can be converted back," cautioned Fantuzzi. He cited the recent case of Westpac, a large Australian bank, which sent out a PDF file to analysts with sensitive data blacked out. Someone simply cut and pasted the information into WordPad and the black lines disappeared, leaving pre-earnings details exposed.
Workshare advocates cleansing e-mail of all metadata details that could prove troublesome in the wrong hands.
Intentional leaks are even more costly. According to Joe Smith, director of product management for network security software vendor Apani Networks Inc. in Brea, Calif., security must begin inside the perimeter because even people inside the company can and will steal data, which now has a value in the open market. Organized crime has gotten involved in the practice, and there are portals where stolen credit card information can be bought and sold.
"The value of a company's stock drops with data breaches," said Apani's product marketing manager Gordon Benzie. "It's becoming a risk management play. What is the value of avoiding the risk?"
Apani recommends encrypting data and authenticating it, assigning levels of authorization down to the port level. Smith sees encryption becoming a standard, in response to the announcement requirements of the laws and regulations. "If data is encrypted, you won't have to announce it because the risk is zero," said Smith. The challenge now goes to integrators to make encryption simpler and user transparent.
Jason Jaynes, director of product management for Credant Technologies of Addison, Texas, feels encryption might not be the panacea. "The risk of encryption is that the data might not go back to its original state," said Jaynes.
With many new players in the market space, one organization is trying to help the industry move toward standards and simplicity. OATH, The Initiative for Open Authentication, based in Washington Crossing, Penn., is a consortium of authentication hardware and software companies, end-user organizations and security professionals dedicated to advancing industry-backed standards for open authentication.
"An industry and standards framework makes implementation easier to use, and more likely to be used," said OATH spokesperson Wally Kowal, VP of marketing for Toronto-based Diversinet Corp. He said that the security industry is realizing that having standards allow users to use best of breed tools with being locked into one vendor. Different tokens and servers can work together.
"Security, privacy, and convenience need to blend together," insists OATH's Don Malloy, director of business development for nCryptone, an authentication vendor in San Jose, Calif. He said that an open standard makes more sense than customized or proprietary products that tend to be more costly and less ubiquitous. Nobody owns the standard, and costs drop due to economies of scale. Adoption can take off. "As banks merge, open standards can merge too," he said.
While IDC's Burke quantifies the growth, Kowal put it simply. "It's now a much bigger pie to go after. Even the mass consumer is a market."
Ken Davis, vice president of product development for Salt Lake City-based information leakage detection and prevention company Oakley Networks Inc., advises companies to keep it simple.
"Companies need to determine what their problem is, and then decide what kind of tech solution can be implemented," said Davis. "Calm down, and set up good business procedures for when a problem exists." Davis recommends several steps:
- Identify what data to protect
- Determine who has what access
- Produce written policies
Davis advises improving employee training and implementing technology to prevent problems. "You can't save face as a company or win back trust when a customer has been hurt," he said.
Jon Boroshok is a freelance writer in Groton, Mass.