Pop question No. 1: What percent of your employees send sensitive company documents to their Gmail accounts?
Pop question No. 2: When you layoff 15 percent of your workforce, should you fire the information security manager a) First, b) Last or c) Give her an incentive to help ensure that a data breach of company IP and customer lists doesn’t happen
With all the 30,000 foot strategic talk from Gartner and IDC about enterprise risk management – I think that most CEOs are blindsided when a data breach happens – having ignored issues of data theft during organizational changes or assuming that information security is a “given”.
In a large firm – the CEO delegates the responsibility to the CISO, who has a dedicated team for security and compliance. In smaller companies that don’t have dedicated security functions, the responsibility for information security falls on the IT department. IT tends to see security as a technical overhead that gets in the way of running the ERP systems. IT security becomes a issue of security products, policies and procedures for appropriate Internet usage.
A company with current best-practice security such as Checkpoint firewalls, ISS IPS, Symantec SIM (security information management system) will be totally unaware that most of their employees send company documents to their personal Google mail accounts on a regular basis.
Monitoring of outbound mail based on some fairly simple metadata parameters (like filetype and email domains) can be a highly effective way of improving data security. You don’t necassarily need to do deep content inspection but you must be prepared to monitor for violations and act quickly on corrective action. It’s as simply as seeing the event in real time with an extrusion detection system like Fidelis Security Systems XPS and walking over to the employee and asking her not to send the company’s 2009 sales forecast to a private Google mail account.