More from our Reshaping Information Security MarketInsight study.  This section tackles the topic of Information Safeguards and how a practical approach is essential. 

Information Safeguards

Another issue top of mind for the participants was how to control the release of sensitive information.  The guidance provided by many was to take a “common sense” approach and that any technology solution deployed must be practical.

Most participants had some sort of content filtering in place but were struggling with false positives, lack of deep inspection (including attachments), and the overall effort required to manage the system which was providing limited-to-no relevant and actionable information.  In fact, some perceived monitoring to be a “Pandora’s Box” with more headaches than benefits and several participants advocated balancing the risk present versus the acceptable risk you are willing to take as a way to tackle this issue without draining IT resources to police it.  All were incident driven and reactive versus proactive in approach with limited knowledge of what was leaving via email or what was being forwarded outside the company.

Taking inventory of where your information assets reside and who has access to them is essential although digital rights management (DRM) was only in the early evaluation stages at several companies.
After much discussion, there was consensus that there is not perfect technology to address this issue, but that you must demonstrate that you have done your due diligence and implemented basic or minimum safeguards.  Technology supports the solution, but people are still the ones that distribute information via email.  Controlling access in order to ensure only authorized personnel can get sensitive information is a mandatory step and identifying what could be confidential or sensitive must occur at some level.  How that is done is more complex – be it through establishing an “asset risk management function” or getting the business owners to identify what to look for – keywords, documents, fingerprints, etc.  Building awareness, enforcement through exception monitoring, and implementing the guidance through system controls will begin to safeguard company information.

Implementing system controls to safeguard company information “doesn’t earn money” and their time is better spent on projects that are good for the top line (i.e., revenue growth).  Although you cannot stop the determined insider and eliminating all the exposure that email creates is not feasible, you must try.  But, as previously pointed out, “squeezing one end of a balloon” and clamping down in one place will only push it to another.