This week, Forbes’ Andy Greenberg published an interview with WikiLeaks’ Julian Assange. In the interview, Assange says he is moving beyond exposing government secrets to exposing the secrets of big business. Target number one will be a major American bank, promises Assange.
While technology can’t put a genie back into a bottle, it can provide an organization the tools needed to deal with this type of problem going forward. Data Loss Prevention (DLP) technology can block attempted USB thumb drive use, or send up alarm flares when an otherwise “normal,” authorized user suddenly copies hundreds of MBs of sensitive information to their laptop in preparation for a hasty defection to a competitor or sharing with the likes of a WikiLeaks. DLP allows organizations to prevent critical information from leaving their networks, see where information flows and who sent it, so they can take action. McAfee’s unique DLP Capture technology shines a light on business process (documented and not), and provides unparalleled tools for performing investigations. Of course, a good data protection posture also incorporates other technologies with DLP such as encryption, device control, access control, etc.
In recent years, businesses have struggled to create more transparency with their employees, business partners, customers, and regulators. Paul Proctor of Gartner Research has been talking about this since the 2009 Gatner ITXpo when he said, “This all reflects a huge cultural shift. Most traditional security programs are designed only to keep the bad guys out and protect the information within. Rather than affording the proactive disclosure of information to foster trust in the organization. But doing just that – changing your posture from need to know to accommodating transparency – well, that’s going to be essential as we prepare for the return to growth in the new business environment. We can’t go back to the old approach of only protecting and restricting.”
From a technology perspective, this is exactly the kind of problem that DLP is designed to solve. DLP not only helps prevent insiders from leaking information, but it helps risk management and security enable business rather than inhibit it.
Of course, technology alone can’t solve the problem. While IT departments might well be able to protect regulated data that is clearly identifiable (e.g., credit card numbers, SSNs, and other PII), they are not typically in a position to identify the very information that makes the business competitive and insures its very survival – its intellectual property. No, protecting sensitive information is truly a business problem, rather than a straight technology problem.
Further, proper internal controls must accompany technology deployment. Our most successful customers are those who invest the time and energy to involve their cross-functional business leaders in the process leading up to a technology deployment. At the end of the day, it’s these very business leaders who are best able to identify what information is sensitive to the organization, and therefore, need to be involved up front, as well as when an incident occurs and needs remediation.
I’m not sure that WikiLeaks’ promised disclosure will bring down a financial institution, but it should give pause to those organizations who have not yet implemented a data protection strategy.