According to a report by Jupiter Research (July 2001 Jupiter Executive Survey), 49.5 per cent of CIOs considered the sensitivity of their company's data as 'low.’
In a world where the threat of information security breaches is an everyday consideration, this either represents gross naivety or complete negligence. The sad reality is that by opening up networks and building knowledge-based infrastructures that empower employees to access a wider portfolio of corporate information, organizations have inadvertently opened the floodgates for mismanaged data and fostered a climate of undervalued information.
Technologies such as email pose a potentially dangerous shift in corporate mentality, a shift that is seeing the sensitivity of corporate data increasingly undermined through an ability to circulate information with a degree of immediacy unthinkable just a few years ago. Sensitive company documents, which would once have been physically filed, marked as confidential and sealed in an envelope when sent to an external party, are now easily accessible from a corporate network by large numbers of employees who have the means at hand to routinely circulate their contents around the world without a second thought.
While a great deal of attention is given to the security of data passing the perimeter of an enterprise, many organizations have been unsuccessful in managing the data itself. The growing volume of material held within the average company is now so large that although freely available through company intranets and directories, its level of confidentiality is often left uncategorized. It is this unchallenged availability, and the ease with which it can be circulated by an employee with an email connection, that is presenting a security risk that has so far largely gone unnoticed. In most cases, the circulation of sensitive data, perhaps a sales forecast or share price information, is not conducted maliciously. Instead it is carried out by the growing army of employees, to whom email is second nature, who perhaps don't assign as much importance to a piece of data as their contemporaries would have done ten years ago.
For centuries, technology has been the root cause for changes within business practice. The telephone, fax and PC are all typical modern day examples of how, once accepted as mainstream, technology can lead us along a new path of increased profitability, efficiency and communication. In the majority of cases, such changes are welcomed and this is certainly the case with email, a technology adopted with such speed and ferocity that to anyone under the age of 21 it seems hard to imagine life without it.
The problem is compounded by the rise in information security breaches, the reaction to which by many organizations is to batten down the hatches and ring-fence corporate networks with the latest software solutions. Yet, despite these measures, many organizations continue to expose themselves as easy prey by not offering a second thought to the unclassified material attached to their emails.
Of course, the suggestion is not to restrict email access across an enterprise; the advent of electronic communication certainly offers more benefits than pitfalls. Not only have once mundane work processes been simplified but employees have a far wider perspective of understanding thanks to the availability of data that would have once been locked away in a filing cabinet. Knowledge workers must be allowed to search, retrieve and manage both data and email within a secure, yet collaborative environment.
Many email solution vendors have been slow to recognize the growing demands placed on email as a business tool, undoubtedly fertilizing the trend towards free information flow whatever the cost. It should be remembered that email was never intended to be used as a tool for high-value communication. Only when it became a viable mass-market technology did it begin to flourish in industries where the confidentiality of information is business critical. Efforts to secure data circulated by email have largely been pooled around encryption technologies, yet the problem lies further down the chain, at the root source of unmanaged company information.
The way in which organizations are conducting business highlights the need to automatically classify email content in its native form from within a corporate directory, based on defined rules of usage unique to each organization. Policies and controls should be put in place to ensure the security of sensitive information without restricting its accessibility within an organization. Wrapping low-level data, such as company phone lists or staff memos, in security mechanisms achieves nothing but restricting accessibility and use.
One sector that has long understood the importance of classifying information is the military. Using security labeling technology, electronic communications are 'tagged' before dispatch. The security labels, usually applied within the default email client, allow the sender to quickly assign a level of confidentiality suitable to a particular mail and its contents. The label then automatically applies the appropriate level of security for the level of confidentiality selected.
A message of the highest confidentiality will therefore be subject to digital signing, data encryption and any other mechanism in place to guarantee the integrity of the data. A staff memo, depending on its content, may in turn pass through the gateway untouched.
Security labeling is now being applied within the corporate environment with a new generation of software adopting a more pragmatic approach by managing email on the boundary between organization and the outside world. This approach offers the benefits of configurable policy setting at a server level, allowing the definition and management of email policies from a corporate perspective regardless of desktop set-up. The responsibility of applying security is thus removed from the user and passed back to the organization.
It seems it is not just the information that is undervalued, but also the resulting effects of mismanaged data and the possibility of a breach in confidentiality. Online IT resource center TechRepublic conducted a survey in January 2002 (see www.techrepublic.com) in which nearly 2,000 respondents were questioned about email and Internet usage. Surprisingly, only 18 percent of those questioned considered the leakage of company confidential information as "extremely serious," with respondents citing employees accessing pornographic content via the web or email as more of a threat. Unbelievably, just 9 percent felt the problem was "serious," less than half of those that cited the serious nature of downloading unauthorized files such as MP3s.
The same survey also looked at organizations that had fired employees on the grounds of Internet or email misuse. Again, the leakage of confidential material appeared low on the grounds for dismissal. Dismissals for recreational surfing in work time (26 percent of firings) were over double those for leaking company confidential data (10 percent). This represents one of two things. Either organizations place a lower importance on a breach of confidentiality than recreational surfing, which is unlikely, or they do not have the tools in place to either detect or prevent such information misuse. In fact, according to the U.K. Department of Trade and Industry's Information Security Breaches Survey 2002, only 27 percent of companies have a documented security policy.
As more and more organizations become dependant on electronic communication, electronic data and retrieval systems, the potential for security breaches will undoubtedly increase, no matter how much investment is made into perimeter security or user authentication solutions.
The age-old adage that the weakest link in any electronic network is the user holds true. Organizations must look internally at how employees are trained to use information, and create an understanding that corporate data is an asset and not a by-product of modern business. There is a strong argument that responsibility for security and confidentiality of information must be moved away from the user and managed centrally without, of course, restricting access. Unlike many other threats to electronic communication, this problem is entirely preventable and lies solely at the feet of an army of email users who unwittingly show complacency to valuable information each time they access their email accounts.
Humphrey Browning is head of technical consultancy at Nexor (www.nexor.com).