Large software and infrastructure vendors have been pushing companies toward unified communications (UC), but many firms are viewing UC as another avenue for data leakage, according to a recent survey conducted by Black Diamond, Wash.-based Osterman Research Inc.
Michael Osterman, Principal Analyst, Osterman Research
Some firms are shopping for data leakage prevention tools as part of their unified communications projects. Many fear that sensitive company data could be difficult to control when email, Voice over Internet Protocol (VoIP) and instant messages meld with collaboration systems, multimedia services and transactional systems.
Nearly 50% of respondents are concerned about information leak prevention in their current or planned unified communications implementations, and 23% of those view leak prevention as a top priority, according to an online survey of 109 mid-to-large IT organizations in North America, conducted last month by Osterman Research.
"The major vendors are really pushing that UC message, and I think companies are starting to respond and understand that UC is a good thing, but it creates even more opportunities for data leaks," said Michael Osterman, president and principal analyst at Osterman Research.
The survey was commissioned
IT pros fear a number of threats posed by melding communications onto one common data network. An attacker can intercept VoIP, instant messaging (IM) and other traffic, or worse, they can conduct a distributed denial-of-service (DDoS) attack by using a VoIP protocol to flood systems with session requests. Others fear an increase in vishing, the VoIP-enabled form of phishing.
But the risk of those forms of attack is minimal, Osterman said. Insider threats from unintentional or accidental leaks pose a greater threat, he said, and the survey suggests that IT organizations are heeding that message. Forty-eight percent of respondents view unintentional or accidental leaks of information by employees as a serious concern, as compared with 31% who named data loss due to malicious software as a serious concern.
Osterman said he's still seeing companies willing to accept the risks involved with UC rather than being proactive by implementing technologies or sound security policies. For example, a consultant couldn't convince a company to implement an email archiving system. The firm decided to pay fines instead.
Companies need to begin with the basics and develop a multi-layer defense strategy, Osterman said. Companies can implement portions of a data leakage prevention system by focusing on the data governing rules outlined by their industry. For example, a merchant can implement a system that monitors all outbound email and IM for 16-digit character strings.
"We're starting to find organizations that are at least thinking about the issues, but there are a lot of companies that don't realize the negative ramifications of what they're doing," he said.