A very public library for very private documents

By Dr. Guy Bunker. 

A recent news story that made the Japan Time News particularly caught our interest at Clearswift. Confidential internal documents and materials of major Japanese companies, including the likes of Mitsubishi, Toyota and Honda, had been made available for public viewing at China’s Baidu library - a document-sharing website. Most significant is the fact that these documents were leaked by employees of the firms: most of the data had apparently been uploaded by employees of the companies’ joint venture affiliates or their customers. At the Baidu online library, users receive points for uploading content, which they can then use to download other documents from the site, although the site itself is completely open to anyone for browsing. As I’ve emphasized before, it’s the internal threat of people that can jeopardize the efforts of company data protection. In this case, while some of the uploads may have been done in good faith and with the best intentions, the chances are most were not.

The Japan External Trade Organization, which has already started a full investigation, called on domestic companies doing business in China to impose strict controls on internal data. The Ministry of Economy, Trade and Industry said it plans to gather information on the leaks, acknowledging there have been complaints. This reiterates the point in previous blogs, that creating a policy and instilling an ethos of internal data security is key. Despite such efforts, however, it seems futile to focus on the internal management process if they cannot be enforced with a suitable security solution. A Data Loss Prevention (DLP) solution could eliminate such incidents by constantly monitoring both email and web traffic for sensitive information and blocking its transmission to unauthorised recipients, including websites. Technology such as Adaptive Redaction can also be deployed to ensure that commercially sensitive content is removed before being communicated.

Part of the problem with the insider threat is identifying security anomalies since insiders have legitimate access to resources and information as part of their day-to-day job. You just have to look at WikiLeaks to realize this is true, even for governments. When malicious behavior is easily disguised as a usual work task, then the data itself needs to be secured and improved tracking and auditing put in place, not to mention tightening up on access controls – the era of ‘everyone has access’ has passed, organizations need to move towards the ‘need to know’, or ‘really, really need to know’ approaches that minimize the number of people with access and therefore the risk, rather than maximize both… we are back at WikiLeaks once more.

DLP solutions can also be combined with web based management and access control, which help both deter and track down malicious users. In many cases deterring the casual ‘data leak’ individual is all that is needed. For those who are determined, deployment of a solution with the ability to block and report malicious attempts makes a very strong statement to all concerned – including the regulators. After all, when an organizations internal data security is breached, the organizations’ information management ability is questioned and its credibility and reputation will be damaged – which will impact a business long after the breach has been rectified.