What can we learn from WikiLeaks?
It is past time for private and public sector leaders in every part and at every level of an organization to take responsibility for data loss. Other kinds of failures are not tolerated under their leadership. IT security should not be any different.
Large data breaches occur because of a lack of security; security is lacking either because adequate policies are not in place or existing policies are not being enforced.
The recent WikiLeaks incident, where hundreds of thousands of sensitive government documents were released to the public, is yet another reminder of the importance of data security, and should serve as a good warning for organizations: data loss can happen, but the probability of its occurrence – and the extent of loss – can be minimized.
Despite repeated examples of data loss over the past few years, and despite their disastrous consequences, many organizations still lack clear data security policies and fail to deploy the right security arsenal to prevent them.
While they take all the necessary measures to protect their physical infrastructure and facilities – controlling and restricting access to physical sites – they fail to protect their informational and digital assets. Yet, this is where the organization’s innermost secrets reside – confidential files, sensitive emails and other records – all assets that need to be shielded from the outside world.
Military members in particular understand that in today’s coalition environment, IT security is not a “nice to have.” They expect it from their partners and their partners expect it from them.
So how to protect sensitive information? Everybody today is under pressure to produce results fast. But no matter how fast soldiers move, they don’t forget their personal protective equipment. We need the same mindset for the networks we create, even the instant, ad hoc networks that are created in a hurry.
IT personnel can’t be looking over everybody’s shoulders all the time, but leaders at every level can learn more about IT security and set the standard.
The first step is to know and understand data security policies. Establish the responsibility for appropriate privacy settings and clearly define who is entitled to access specific types of information, as well as what confidential data is visible and to whom. Second, know and understand the kinds of security that should be deployed and make sure it’s operating.
A data loss prevention (DLP) solution prevents sensitive data from being leaked out of the organization – regardless of intent. For instance, if someone inadvertently sends a confidential email to the wrong recipient, or with the wrong attachment, the DLP solution can identify the fault, block the email and proactively prevent data loss before it occurs.
Data and device encryption makes it harder for unauthorized people to view or use the confidential information. Data encryption solutions protect both “data-at-rest” and “data-in-transit” on every endpoint – not just laptops, but also the USB sticks, smart phones and other portable devices that can store sensitive information. Should the devices be lost or stolen, the data remains encrypted and inaccessible to an outsider.
Document security can provide IT administrators (or end-users) with granular control over who can view, open, send or even print confidential information. This helps prevent the misuse, modification, loss or theft of sensitive information and adds an additional layer of protection throughout the data lifecycle.
Virtual private networks provide secure connectivity to networks, remote and mobile users, branch offices and business partners. A VPN turns any network into a private, secure and encrypted communication channel, and efficiently protects all corporate data in transit.
WikiLeaks was not a drill. Data security technology, combined with proper use policies and compliance standards, can significantly decrease the risks of data disclosures.
It’s not too late to prevent the next WikiLeaks. An event of that magnitude should alert organizations to the urgency of the problem, and push data security higher up on their agendas in 2011.
Paul Comessotti is Canadian regional director and Kellman Meghu is national security engineering manager at Check Point Software Technologies.