Unified communications trigger data leakage dangers, survey finds

By Robert Westervelt, News Editor 17 Jul 2008 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Large software and infrastructure vendors have been pushing companies toward unified communications (UC), but many firms are viewing UC as another avenue for data leakage, according to a recent survey conducted by Black Diamond, Wash.-based Osterman Research Inc.

I think companies are starting to respond and understand that UC is a good thing but it creates even more opportunities for data leaks. Michael Osterman principal analyst, Osterman Research

Some firms are shopping for data leakage prevention tools as part of their unified communications projects. Many fear that sensitive company data could be difficult to control when email, Voice over Internet Protocol (VoIP) and instant messages meld with collaboration systems, multimedia services and transactional systems.

Nearly 50% of respondents are concerned about information leak prevention in their current or planned unified communications implementations, and 23% of those view leak prevention as a top priority, according to an online survey of 109 mid-to-large IT organizations in North America, conducted last month by Osterman Research.

"The major vendors are really pushing that UC message, and I think companies are starting to respond and understand that UC is a good thing, but it creates even more opportunities for data leaks," said Michael Osterman, president and principal analyst at Osterman Research.

The survey was commissioned by Belmont, Calif.-based messaging security vendor FaceTime Communications Inc.

IT pros fear a number of threats posed by melding communications onto one common data network. An attacker can intercept VoIP, instant messaging (IM) and other traffic, or worse, they can conduct a distributed denial-of-service (DDoS) attack by using a VoIP protocol to flood systems with session requests. Others fear an increase in vishing, the VoIP-enabled form of phishing.

SearchSecurity radio:

But the risk of those forms of attack is minimal, Osterman said. Insider threats from unintentional or accidental leaks pose a greater threat, he said, and the survey suggests that IT organizations are heeding that message. Forty-eight percent of respondents view unintentional or accidental leaks of information by employees as a serious concern, as compared with 31% who named data loss due to malicious software as a serious concern.

Osterman said he's still seeing companies willing to accept the risks involved with UC rather than being proactive by implementing technologies or sound security policies. For example, a consultant couldn't convince a company to implement an email archiving system. The firm decided to pay fines instead.

Companies need to begin with the basics and develop a multi-layer defense strategy, Osterman said. Companies can implement portions of a data leakage prevention system by focusing on the data governing rules outlined by their industry. For example, a merchant can implement a system that monitors all outbound email and IM for 16-digit character strings.

"We're starting to find organizations that are at least thinking about the issues, but there are a lot of companies that don't realize the negative ramifications of what they're doing," he said.

Tags: Enterprise Data Governance,  Enterprise Risk Management: Metrics and Assessments,  Security Awareness Training and Internal Threats,  Data Loss Prevention,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise Data Governance How to protect distributed information flows Interpreting 'risk' in the Massachusetts data protection law Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Enterprise Risk Management: Metrics and Assessments Perspectives: Pet information security risks Cloud computing in 2010: Be ready for risk management challenges Security risk factors: Business partner security and pandemic planning GRC customers point to better efficiency, convergence and consistency Schneier-Ranum face-off part 5: Security metrics How to detect and respond to money laundering How to justify information security spending on cloud computing Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Enterprise Risk Management: Metrics and Assessments Research Security Awareness Training and Internal Threats CISOs take measured steps to reduce social media risks Information security book excerpts and reviews Schneier-Ranum face-off, part 2: Social networking Health Net breach failure of security policy, technology Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Creating a HIPAA employee training program

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cut-and-paste attack  (SearchSecurity.com) data masking  (SearchSecurity.com) data splitting  (SearchSecurity.com) deperimeterization  (SearchSecurity.com) Google hacking  (SearchSecurity.com) masquerade  (SearchSecurity.com) snooping  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary