Dealing with data leakage

Take steps to safeguard digital assets

By Phil Zinkewicz

There’s a relatively new phrase being used in IT circles these days: data leakage. It doesn’t sound all that awful, does it? So, you’ve got a leak. Big deal! Management doesn’t need to pay all that much attention to it. Someone will get around to it sooner or later.

However, as Tracey Vispoli, vice president of Chubb & Son and Global Cyber Solutions Manager for Chubb Specialty Insurance, puts it: “Leaks never look serious. You ignore a leaky faucet until you realize that you’re losing 40 gallons of water a day. It’s when you realize the impact of that leak that you start paying attention.”

Vispoli describes data leakage as “the small bits and bytes leaving an organization day by day” and possibly getting into the wrong hands. “It could be personal information about employees, corporate trade secrets or even electronic keys to bank accounts. The information is leaking into the outside world, and its cost to business is difficult to quantify.”

These days, a great many financial transactions take place without any face-to-face contact, and these transactions occur based on names and numbers—addresses, account numbers, Social Security numbers. People use their credit cards to make online purchases, or a bank’s Web site to pay their bills. The numbers are out there and could “leak” into cyberspace through something as innocent as employee error or as devious as intentional vandalism.

In addition, more than 40 states have enacted legislation requiring companies to notify customers if their personal information may have been compromised. Even in states where notification is not required by law, failure to notify an individual of a potential identity breach may result in severe civil, regulatory and legal liability costs as well as potential damage to a company’s reputation and loss of consumer confidence.

According to Forrester Research Senior Analyst Thomas Raschke, the cost of discovery and notification, which are typically required in every leak, is about $50 per lost record. For 20,000 lost records, this cost comes to $1 million. This is before any legal, public relations and lost customer costs.

According to Vispoli, some analysts put the cost per lost record at nearly $200, making the overall costs considerably higher.

Vispoli is responsible for designing and implementing new insurance and risk management products that respond to the changing vulnerabilities of Chubb’s customers around the world. An expert in cybersecurity-related issues, Vispoli is a highly sought speaker and author on the topic, with recent bylined articles appearing in various trade publications.

“The problem is that data leakage is an unknown until the event is realized,” she says. “You can’t insure something that’s unknown. A leakage could result in the ruining or damaging of someone’s reputation. You can’t insure that. But you can insure the monetary loss to an organization as the result of data leakage. And you can put plans into effect to prevent data leakage,”she says.

According to the Chubb executive, little has been done to put such plans into place. “It’s a leap that management has not yet taken. Management must come to realize that data leakage is an everyday occurrence at companies, probably their very own. We have not gotten past the education stage yet. Management must come to realize that data leakage is not just an IT problem but also a problem of corporate economics.

“Once that message gets across, then plans need to be implemented to minimize the economic impact,” Vispoli continues. “This is a heavy-duty issue, and I believe that, over the next year, we will be hearing and reading a lot more about it.”

Risk management strategy

We certainly will be if Timothy Sullivan, founder and executive chairman of the board of Fidelis Security Systems, has anything to say about it. Data leakage has become a cause cèlèbre for Sullivan and for his organization, which has put together a risk management approach designed to prevent such occurrences.

Sullivan is an entrepreneur with more than 20 years’ experience in building emerging technology companies in a variety of vertical markets. He founded Fidelis, an authority in “extrusion” prevention technology, in 2002 and ultimately secured $26 million in venture capital financing. Sullivan has set Fidelis on a course to disrupt the dominant paradigm in network security by changing the focus from “intrusion” mitigation to “extrusion” prevention, and he has become a key player in the development of the data leakage prevention (DLP) market.

“The fact is that most companies collect and hold personal data from employees and customers,” Sullivan says. “The way these companies handle that information and the way they safeguard it is of paramount importance to the company and the company’s employees and customers.

“Let’s say that a bank, nursing home, new car dealership or even a restaurant—any business that amasses information on customers, such as credit card numbers, Social Security numbers, addresses, telephone numbers—discovers that a breach has occurred that allows the information to move into cyberspace. Discovering and giving notice of a data leakage can be an expensive proposition,” he continues.

Sullivan says that in 2007, approximately 168 million sensitive data records—mostly customers’ or employees’ personal information—were lost or exposed, mostly through corporate errors. That translates into a cost of $8.4 billion for discovery and notification alone, he says. “Every two or three years, the volume of data in the enterprise doubles, creating the risk of ever-higher data leakage costs. The problem is not going to go away, so it must be dealt with.”

Sullivan maintains that Fidelis Security System’s XPS is “the only network security solution that operates at gigabit speeds to prevent the unauthorized network transfer of sensitive digital assets such as personal identity information, credit card data and intellectual property on all network channels.

“XPS detects rogue encryption and extends content security to corporate e-mail, Web mail, file transfer protocol, instant messaging and peer-to-peer communications,” says Sullivan. “The software also provides users with detailed forensic evidence about attempted digital asset extrusions, critical for the enforcement of internal policies, as well as compliance with laws regulating privacy and financial data integrity. Some of our customers are Boston College, the Pension Benefit Guaranty Corporation, the D.C. public schools and Barak ITC, a leading Israeli telecom.”

Sullivan says it’s high time that management recognizes the need to deal with data leakage. “Ninety-eight percent of computer investment today involves trying to prevent people from getting into a system. We believe some of that money would be well spent in trying to keep information from getting out.”