Organizations typically rank security as one of their top IT concerns, but companies still lose confidential customer information through security breaches, corporate negligence or even something as mundane as lost laptops. A major data breach can cost an organization millions of dollars in restitution, lost productivity, regulatory fines and brand equity, so companies regularly invest in protecting IT systems and the structured information in databases and applications.
Enterprises still seem to have turned a blind eye to the vulnerability that exists when information, in document and spreadsheet form, leaves the company via email and laptops. In most cases, the intent is innocent – for example, employees run reports from applications that contain customer accounts, financial information and intellectual property and keep those files on their laptops to review and analyze later. Nonetheless, if that laptop containing customer information gets lost, claims of innocent intentions are unlikely to satisfy the customers who have been put at risk through this hole in organizational security.
After reporting a data breach, losses in company valuation can be as high as four percent. A benchmarking study conducted by the Ponemon Institute found that average additional spending resulting from a single data breach reached $6.3 million in 2007 and the cost of lost business averaged $4.1 million. These costs can range from regulatory fines to litigation settlements to providing credit monitoring and identity theft protection services.
With such high-profile stakes, it is not surprising to see that IT isn't alone in defending against these security breaches -- now legal counsel and executive management are taking part. In a poll of 118 legal counsels for U.S. organizations, IT was involved in crafting an information security policy in 33 percent of the organizations, but legal was involved in 30 percent, and company executives were involved in 19 percent.
The search for solutions to customer data loss can take an organization many places because there are many approaches. One approach is data loss prevention. This involves monitoring all content entering or leaving the organization through email and other protocols such as instant messaging. But there are other ways content can leave an organization, including thumb drives and laptops. Some organizations attempt to address this risk by taking measures such as banning thumb drives and iPods from the corporate environment. However, this approach does not address situations where content is legitimately shared outside an organization, such as planning documents shared with board members or financial information for mergers and acquisitions. And once that information is outside the perimeter, it is unprotected and can be shared – either intentionally or unintentionally.
Another approach to protecting document information involves encrypting documents and providing permissions to enable authorized users to view those documents, ensuring that even if a document is shared outside an organization, it is still protected from viewing by unauthorized users. More importantly, if the document is accidentally lost, such as the case when it is on a lost laptop, the document is not viewable to users who cannot login as a legitimate user.
This approach, known as information rights management (IRM), provides many other benefits. One benefit is that the usage of the document can be controlled. For example, users may have permission to view the document but not to print it. Or, they may have viewing and printing permission but the contents of the document can't be copied to the clipboard.
IRM systems are becoming increasingly popular, but there are several issues to consider prior to their deployment. Aside from the obvious ability to maintain document security, the most important element is ease-of-use. From an administrative perspective, an IRM solution is typically easier to manage if user roles are automatically integrated with corporate directories, not assigned on a per-user security level. It is also worth considering whether you want a system that enables security classes as opposed to forcing users to set security on a document-by-document basis. If you opt for the former, it's important not to provide too many security classes. Too many choices make the system unusable – if people can't remember which class of information to assign quickly, it slows down the work process and users often take the easiest and potentially less-secure way out.
IRM also provides additional benefits: It can provide an audit trail of usage. If a user opens a document, prints it, copies it – all of these steps are registered. Furthermore, information regarding the user location, such as IP address, is tracked, so it's possible to determine if these actions happened at home or in the office, or on a corporate laptop or a personal machine. This can be very useful evidence in case of litigation.
Another benefit of IRM is it can help employees to remain compliant with regulations by ensuring that they use only the latest information. When an employee opens a protected document, the system can check version information of the document and compare it to the latest version, downloading a more recent version if it is available. Consider an employee repairing an airplane or a car; the ramifications of not using the most recent repair information can be significant. Having an IRM system in place can be used in litigation to show that best practices are employed, ensuring that employees are using up-to-date information.
Given the potential costs associated with lost customer data, securing unstructured information is the largest remaining vulnerability that needs to be addressed for most organizations. And, while customer information has the largest average cost associated with its loss, IRM is not limited to customer information. In fact, it enables organizations to protect multiple types of unstructured information that has the potential to leave their organizations daily, including employee information such as resumes, reviews and insurance applications; and intellectual property like design plans or technical specifications. Equally important, it protects the information while keeping it easy to use.