Three steps CIOs should take to protect corporate data

Year after year, corporate IT departments spend millions of dollars to secure the perimeters of their networks. Firewalls, gateway filtering technology, intrusion-detection systems and monitoring services are several methods that large enterprises use to keep hackers and malicious code exploits out of their systems.

Today, companies are still spending significant sums on perimeter security systems, even though recent market changes require the protection and control of an area that has previously been ignored: securing the data. One such market driver is the ever-expanding boundary of the corporate workforce. Wireless technology and supply chain connectivity are making it possible to distribute vast amounts of information outside of traditionally secure enterprise walls, increasing the risk of exposing regulated data, such as customer, employee and financial information.

Recent regulations specify that protection and control must be on the data itself. The public is demanding that corporations become vigilant stewards of their data and apply appropriate safeguards and processes in the event that such data is compromised. The California Database Security Breach Act, which took effect July 1, is one example. It states that any organization—regardless of its location—that electronically holds nonpublic, personal information on California residents must notify those residents whenever "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." Similar federal legislation is pending, with the potential to increase the scope and impact of the California bill. Failure to comply will result in stiff financial penalties and lawsuits that could cost a corporation millions of dollars, negative publicity and the loss of customer and investor confidence.

Jim Schoonmaker

Such examples of governmental regulation and the rising number of high-profile identity and intellectual property theft cases shift the spotlight from the network to the data as the security priority for organizations. Unfortunately, many CIOs don't know how or where to begin to implement effective measures to secure sensitive data and avoid information breaches. Network security solutions such as firewalls, virtual private networks and intrusion-detection systems aren't enough to demonstrate true compliance with regulations focused on data protection.

CIOs need to turn their security priorities inside out and employ proactive measures that protect data throughout its life cycle. From the time a customer record, employee data, product spec sheet, financial statement or executive memo is created or edited, organizations need to ensure that only authorized users have access to the data. Organizations must ensure that they maintain control of their regulated data regardless of who has it (current or terminated employees, partners, suppliers and contractors), how it's distributed (e-mail, instant messaging, USB key ring and other storage devices), where it's accessed and used (corporate network, Internet or home) and what collaborative actions occur (read, write, save, cut, copy or paste).

Here are three steps that CIOs can take to comply with regulations for the protection of corporate data:

  1. Encrypt all regulated data, regardless of how it's created or distributed. This is even harder than it sounds. Encryption and decryption must happen consistently across all relevant applications without affecting the way users work. Repository- or container-based encryption approaches such as Pretty Good Privacy aren't sufficient because the sender and the receiver are required to apply the encryption and take an active part in maintaining the protection.

    Studies have found that if users have to enable the encryptio, or can remove the data from its secure container, the initial protection is removed more often than not. Full disk encryption is another approach in which the entire physical hard drive on a device is encrypted at rest. This approach is often considered a viable solution to thwart laptop theft; however, once a user's log-in password is hacked, the thief gains access to all data in unencrypted form.

    This approach also does nothing to protect regulated data should an "authorized" user suddenly become "unauthorized," such as a sales manager who leaves for the competition or an employee who is laid off or fired.
  2. Control and monitor access to and the use of data. Encryption is a good first step, but it secures the data only at rest or in transit; it does nothing to maintain control of the data when it's unencrypted and used within applications. The control must extend to the data throughout its use in unencrypted form and provide privileges, or rights, based on the user's role and sensitivity of the data. This control should include evidentiary-quality monitoring and logging of users' actions on regulated data, in the event of a breach or compliance audit.

    By monitoring how, when and by whom data was edited, copied and pasted, printed, and read, companies can create rich audit trails that demonstrate compliance with regulations and track down those parties responsible for the breach should legal action ensue.
  3. Enforce policies at all times. The business must be responsible for defining appropriate usage policies and retaining control of regulated data at all times. Solutions that give ultimate control of policy definition and management to the individual authors of data are doomed to fail because of the dynamic nature of business. To paraphrase a popular aphorism, security policies must be thought through and managed globally (from a central location) but acted upon locally (throughout the distributed enforcement). Most important, policy enforcement must be nonintrusive to the way professionals work, or the security technology will be eliminated or circumvented by the users. Be sure to only deploy products and processes that allow users to conduct business as usual.

The question for today's CIOs is not whether they will protect their company's regulated data, but when and how. The current wave of legislation is the tip of the iceberg, with the majority of its potential impact sitting beneath the surface of today's litigious waters. CIOs must take steps now to safeguard their company's regulated data and intellectual property or drown from the deluge of customer and investor loss.


Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon