Senior managers may have often come across instances where a bid has been lost by a narrow margin,
a competitor has released a similar-looking product, or a trade secret has been patented by the
competition. These incidents are neither isolated, nor as coincidental as they may appear. Lack of
reporting, hush-ups, or failure to detect the real causes, are some of the reasons why such
incidents are not in the limelight. But these incidents result in a loss of business plans, product
designs, commercial information and even the customer’s private information like credit card data.
Besides the financial loss, stolen information is often used for blackmail or to damage the
reputation of the corporate.
The problem arises because it is difficult to
Requires Free Membership to View
secure
unstructured data (proposals, business plans, etc) as opposed to securing structured data
(databases). Unstructured data is normally unique, created by individual employees, and its use is
determined by the employees rather than a business process or application. For example, in most
companies, the employee who creates a business plan decides who to share it with, where to store
it, and so forth. This plan to secure unstructured
data could be just one of the numerous pieces of information the employee creates, and, over a
period of time, fails to track or safeguard. Do we remember all the pieces of information we
created on our computers? I guess not. The situation may be compounded by a failure to secure
unstructured data via encryption technologies resulting in additional avenues for compromise.
Solutions to secure unstructured data are not easy to implement due to various factors. However,
the problem can be contained by implementing the steps outlined below.
Identify critical unstructured information assets
The value of information assets depends on its nature and relevance at a point in time. For
example, a copy of a proposal prior to bid opening is more valuable than the same information
post-bid opening. The top 10 ongoing proposals may constitute 80% of an organization’s business,
and are therefore more valuable than other proposals. The first step to secure unstructured data
should be to profile what constitutes vital information assets, and the time at which they are
relevant (and therefore important). While it may not be possible to create a register for this
information, employees can be made to comply with information classification policies and specific
mechanisms can be set up to secure unstructured data.
Identify which employees possess critical unstructured data
Vital information assets are not in the possession of many employees. Critical unstructured data
usually remains with a few employees like senior management, secretaries, and other key personnel.
These may at best comprise 10% of an organization’s staff. Identification of employees who hold
vital data can help with targeted security safeguards. This will be more effective than a generic
widespread security program.
Implement separate technology and process controls to protect data assets
Technical and procedural safeguards for desktops and laptops can be enhanced for the identified key
employees. Safeguards to secure unstructured data should be a combination of procedural measures to
reduce the exposure of information to helpdesk staff, and technical countermeasures such as laptop
encryption and encrypted communication channels.
Set up a reporting mechanism to identify suspicious business losses
Market surprises such as lost deals and look-alike products should be carefully examined for the
possibility of information leaks, and for determining if a certain employee is a common factor in
more than one such occurrence. A confidential reporting mechanism backed by clear processes may
also help in identifying suspicious behavior in employees.
Use DLP or email monitoring to monitor sensitive data
Monitoring of sensitive unstructured data is at best nascent. Use technologies such as email
monitoring and DLP for monitoring information flow to and from suspected employees.
Design training programs for targeted employees
Many employees do not understand risks that are unseen or occur over long periods of time. People
are also typically trusting of close colleagues. Develop training programs that deal specifically
with security risks related to unstructured information; the programs should be illustrative and
convey the benefits an employee can derive by taking precautions. For example, a lost proposal may
cost a sales person his incentive.
Create a culture where it is not improper to refuse information on a need-to-know
basis
Top management should lead in creating a security-aware culture among the identified key employees.
Often, people may share important documents because they feel others may be offended if refused
access. Information should be shared and circulated only on a need-to-know basis as this reduces
the exposure of unstructured data during circulation and storage.
About the author: Lucius Lobo is the director for security consulting at Tech Mahindra. He is a Certified Information Systems Security Professional (CISSP), with close to 18 years of experience in the communications and security industries. Over the last few years, Lobo has been responsible for providing thought leadership and consultancy, in developing new security solutions for next generation telecom companies across the globe.
This was first published in December 2010