2011-03-01 06:25:20
Companies and information
Digital information is easy not only to store but also to leak. Companies must
decide what they really need to keep secret, and how best to do so
Feb 24th 2011 | from the print edition
IN EARLY February Hewlett-Packard showed off its new tablet computer, which it
hopes will be a rival to Apple s iPad. The event was less exciting than it
might have been, thanks to the leaking of the design in mid-January. Other
technology companies have suffered similar embarrassments lately. Dell s
timetable for bringing tablets to market appeared on a tech-news website. A
schedule for new products from NVIDIA, which makes graphics chips, also seeped
out.
Geeks aren t the only ones who can t keep a secret. In January it emerged that
Renault had suspended three senior executives, allegedly for passing on
blueprints for electric cars (which the executives deny). An American radio
show has claimed to have found the recipe for Coca-Cola s secret ingredient in
an old newspaper photograph. Facebook s corporate privacy settings went awry
when some of the social network s finances were published. A strategy document
from AOL came to light, revealing that the internet and media firm s
journalists were expected to write five to ten articles a day.
Meanwhile, Julian Assange has been doing his best to make bankers sweat. In
November the founder of WikiLeaks promised a megaleak early in 2011. He was
said to be in possession of a hard drive from the laptop of a former executive
of an unnamed American bank, containing documents even more toxic than the
copiously leaked diplomatic cables from the State Department. They would reveal
an ecosystem of corruption and take down a bank or two .
I think it s great, Mr Assange said in a television interview in January. We
have all these banks squirming, thinking maybe it s them. At Bank of America
(BofA), widely thought to be the bank in question, an internal investigation
began. Had any laptop gone missing? What could be on its hard drive? And how
should BofA react if, say, compromising e-mails were leaked?
The bank s bosses and investigators can relax a bit. Recent reports say that Mr
Assange has acknowledged in private that the material may be less revealing
than he had suggested. Financial experts would be needed to determine whether
any of it was at all newsworthy.
Even so, the WikiLeaks threat and the persistent leaking of other supposedly
confidential corporate information have brought an important issue to the fore.
Companies are creating an ever-growing pile of digital information, from
product designs to employees e-mails. Keeping tabs on it all is increasingly
hard, not only because there is so much of it but also because of the ease of
storing and sending it. Much of this information would do little damage if it
seeped into the outside world; some of it, indeed, might well do some good. But
some could also be valuable to competitors or simply embarrassing and needs to
be protected. Companies therefore have to decide what they should try to keep
to themselves and how best to secure it.
Trying to prevent leaks by employees or to fight off hackers only helps so
much. Powerful forces are pushing companies to become more transparent.
Technology is turning the firm, long a safe box for information, into something
more like a sieve, unable to contain all its data. Furthermore, transparency
can bring huge benefits. The end result will be more openness, predicts Bruce
Schneier, a data-security guru.
From safe to sieve
When corporate information lived only on paper, which was complemented by
microfilm about 50 years ago, it was much easier to manage and protect than it
is today. Accountants and archivists classified it; the most secret documents
were put in a safe. Copying was difficult: it would have taken Bradley Manning,
the soldier who is alleged to have sent the diplomatic cables to WikiLeaks,
years to photograph or smuggle out all the 250,000 documents he is said to have
downloaded assuming that he was not detected.
Things did not change much when computers first made an appearance in firms.
They were used mostly for accounting or other transactions, known as
structured information . And they were self-contained systems to which few
people had access. Even the introduction in the 1980s of more decentralised
information-technology (IT) systems and personal computers (PCs) did not make
much of a difference. PCs served at first as glorified typewriters.
It was only with the advent of the internet and its corporate counterpart, the
intranet, that information began to flow more quickly. Employees had access to
lots more data and could exchange electronic messages with the outer world. PCs
became a receptacle for huge amounts of unstructured information , such as
text files and presentations. The banker s hard drive in Mr Assange s
possession is rumoured to contain several years worth of e-mails and
attachments.
Now an even more important change is taking place. So far firms have spent
their IT budgets mostly on what Geoffrey Moore of TCG Advisors, a firm of
consultants, calls systems of record , which track the flow of money, products
and people within a company and, more recently, its network of suppliers. Now,
he says, firms are increasingly investing in systems of engagement . By this
he means all kinds of technologies that digitise, speed up and automate a firm
s interaction with the outer world.
Mobile devices, video conferencing and online chat are the most obvious
examples of these technologies: they allow instant communication. But they are
only part of the picture, says Mr Moore. Equally important are a growing number
of tools that enable new forms of collaboration: employees collectively edit
online documents, called wikis; web-conferencing services help firms and their
customers to design products together; and smartphone applications let
companies collect information about people s likes and dislikes and hence about
market trends.
It is easy to see how such services will produce ever more data. They are one
reason why IDC, a market-research firm, predicts that the digital universe ,
the amount of digital information created and replicated in a year, will
increase to 35 zettabytes by 2020, from less than 1 zettabyte in 2009 (see
chart); 1 zettabyte is 1 trillion gigabytes, or the equivalent of 250 billion
DVDs. But these tools will also make a firm s borders ever more porous.
WikiLeaks is just a reflection of the problem that more and more data are
produced and can leak out, says John Mancini, president of AIIM, an
organisation dedicated to improving information management.
Two other developments are also poking holes in companies digital firewalls.
One is outsourcing: contractors often need to be connected to their clients
computer systems. The other is employees own gadgets. Younger staff,
especially, who are attuned to easy-to-use consumer technology, want to bring
their own gear to work. They don t like to use a boring corporate BlackBerry,
explains Mr Mancini.
The data drain
As a result, more and more data are seeping out of companies, even of the sort
that should be well protected. When Eric Johnson of the Tuck School of Business
at Dartmouth College and his fellow researchers went through popular
file-sharing services last year, they found files that contained health-related
information as well as names, addresses and dates of birth. In many cases,
explains Mr Johnson, the reason for such leaks is not malice or even
recklessness, but that corporate applications are often difficult to use, in
particular in health care. To be able to work better with data, employees often
transfer them into spreadsheets and other types of files that are easier to
manipulate but also easier to lose control of.
Although most leaks are not deliberate, many are. Renault, for example, claims
to be a victim of industrial espionage. In a prominent insider-trading case in
the United States, some hedge-fund managers are accused of having benefited
from data leaked from Taiwanese semiconductor foundries, including spreadsheets
showing the orders and thus the sales expectations of their customers.
Not surprisingly, therefore, companies feel a growing urge to prevent leaks.
The pressure is regulatory as well as commercial. Stricter data-protection and
other rules are also pushing firms to keep a closer watch on information. In
America, for instance, the Health Insurance Portability and Accountability Act
(HIPAA) introduced security standards for personal health data. In lawsuits
companies must be able to produce all relevant digital information in court. No
wonder that some executives have taken to using e-mail sparingly or not at all.
Whole companies, however, cannot dodge the digital flow.
To help them plug the holes, companies are being offered special types of
software. One is called content management . Programs sold by Alfresco, EMC
Documentum and others let firms keep tabs on their digital content, classify it
and define who has access to it. A junior salesman, for instance, will not be
able to see the latest financial results before publication and thus cannot
send them to a friend.
Another type, in which Symantec and Websense are the market leaders, is data
loss prevention (DLP). This is software that sits at the edge of a firm s
network and inspects the outgoing data traffic. If it detects sensitive
information, it sounds the alarm and can block the incriminating bits. The
software is often used to prevent social-security and credit-card numbers from
leaving a company and thus make it comply with HIPAA and similar regulations.
A third field, newer than the first two, is network forensics . The idea is to
keep an eye on everything that is happening in a corporate network, and thus to
detect a leaker. NetWitness, a start-up company, says that its software records
all the digital goings-on and then looks for suspicious patterns, creating
real-time situation awareness , in the words of Edward Schwartz, its chief
security officer.
There are also any number of more exotic approaches. Autonomy, a British
software firm, offers bells in the dark . False records made-up pieces of
e-mail, say are spread around the network. Because they are false, no one
should gain access to them. If somebody does, an alarm is triggered, as a
burglar might set off an alarm breaking into a house at night.
These programs deter some leakers and keep employees from doing stupid things.
But reality rarely matches the marketing. Content-management programs are hard
to use and rarely fully implemented. Role-based access control sounds fine in
theory but is difficult in practice. Firms often do not know exactly what
access should be assigned to whom. Even if they do, jobs tend to change
quickly. A field study of an investment bank by Mr Johnson and his colleagues
found that one department of 3,000 employees saw 1,000 organisational changes
within only a few months.
This leads to what Mr Johnson calls over-entitlement . So that workers can get
their jobs done, they are given access to more information than they really
need. At the investment bank, more than 50% were over-entitled. Because access
is rarely revoked, over time employees gain the right to see more and more. In
some companies, Mr Johnson was able to predict a worker s length of employment
from how much access he had. But he adds that if role-based access control is
enforced too strictly, employees have too little data to do their jobs.
Similarly, DLP is no guarantee against leaks: because it cannot tell what is in
encrypted files, data can be wrapped up and smuggled out. Network forensics can
certainly show what is happening in a small group of people working on a
top-secret product. But it is hard to see how it can keep track of the
ever-growing traffic that passes through or leaves big corporate IT systems,
for instance through a simple memory stick (which plugs into a PC and can hold
the equivalent of dozens of feature-length films). Technology can t solve the
problem, just lower the probability of accidents, explains John Stewart, the
chief security officer of Cisco, a maker of networking equipment.
Other experts point out that companies face a fundamental difficulty. There is
a tension in handling large amounts of data that can be seen by many people,
argues Ross Anderson, of Cambridge University. If a system lets a few people do
only very simple things such as checking whether a product is available the
risks can be managed; but if it lets a lot of people do general inquiries it
becomes insecure. SIPRNet, where the American diplomatic cables given to
WikiLeaks had been stored, is a case in point: it provided generous access to
several hundred thousand people.
In the corporate world, to limit the channels through which data can escape,
some companies do not allow employees to bring their own gear to work or to use
memory sticks or certain online services. Although firms have probably become
more permissive since, a survey by Robert Half Technology, a recruitment
agency, found in 2009 that more than half of chief information officers in
America blocked the use of sites such as Facebook at work.
Yet this approach comes at a price, and not only because it makes a firm less
attractive to Facebook-using, iPhone-toting youngsters. More openness also
creates trust, argues Jeff Jarvis, a new-media sage who is writing a book
about the virtues of transparency, entitled Public Parts . Dell, he says,
gained a lot of goodwill when it started talking openly about its products
technical problems, such as exploding laptop batteries. If you open the
kimono, a lot of good things happen, says Don Tapscott, a management
consultant and author: it keeps the company honest, creates more loyalty among
employees and lowers transaction costs with suppliers.
More important still, if the McKinsey Global Institute, the research arm of a
consulting firm, has its numbers right, limiting the adoption of systems of
engagement can hurt profits. In a recent survey it found that firms that made
extensive use of social networks, wikis and so forth reaped important benefits,
including faster decision-making and increased innovation.
How then to strike the right balance between secrecy and transparency? It may
be useful to think of a computer network as being like a system of roads. Just
like accidents, leaks are bound to happen and attempts to stop the traffic will
fail, says Mr Schneier, the security expert. The best way to start reducing
accidents may not be employing more technology but making sure that staff
understand the rules of the road and its dangers. Transferring files onto a
home PC, for instance, can be a recipe for disaster. It may explain how health
data have found their way onto file-sharing networks. If a member of the
employee s family has joined such a network, the data can be replicated on many
other computers.
Don t do that again
Companies also have to set the right incentives. To avoid the problems of
role-based access control, Mr Johnson proposes a system akin to a speed trap:
it allows users to gain access to more data easily, but records what they do
and hands out penalties if they abuse the privilege. He reports that Intel, the
world s largest chipmaker, issues speeding tickets to employees who break its
rules.
Mr Johnson is the first to admit that this approach is too risky for data that
are very valuable or the release of which could cause a lot of damage. But most
companies do not even realise what kind of information they have and how
valuable or sensitive it is. They are often trying to protect everything
instead of concentrating on the important stuff, reports John Newton, the
chief technology officer of Alfresco.
The WikiLeaks incident is an opportunity to improve information governance,
wrote Debra Logan, an analyst at Gartner, a research firm, and her colleagues
in a recent note. A first step is to decide which data should be kept and for
how long; many firms store too much, making leaks more likely. In a second
round, says Ms Logan, companies must classify information according to how
sensitive it is. Only then can you have an intelligent discussion about what
to protect and what to do when something gets leaked.
Such an exercise could also be an occasion to develop what Mr Tapscott calls a
transparency strategy : how closed or open an organisation wants to be. The
answer depends on the business it is in. For companies such as Accenture, an IT
consultancy and outsourcing firm, security is a priority from the top down
because it is dealing with a lot of customer data, says Alastair MacWillson,
who runs its security business. Employees must undergo security training
regularly. As far as possible, software should control what leaves the company
s network. If you try to do something with your BlackBerry or your laptop that
you should not do, explains Mr MacWillson, the system will ask you: Should
you really be doing this?
At the other end of the scale is the Mozilla Foundation, which leads the
development of Firefox, an open-source browser. Transparency is not just a
natural inclination but a necessity, says Mitchell Baker, who chairs the
foundation. If Mozilla kept its cards close to the chest, its global community
of developers would not and could not help write the program. So it keeps
secrets to a minimum: employees personal information, data that business
partners do not want made public and security issues in its software.
Everything else can be found somewhere on Mozilla s many websites. And anyone
can take part in its weekly conference calls.
Few companies will go that far. But many will move in this direction. The
transparency strategy of Best Buy, an electronics retailer, is that its
customers should know as much as its employees. Twitter tells its employees
that they can tweet about anything, but that they should not do stupid things
. In the digital era of exploding quantities of data that are increasingly
hard to contain within companies systems, more companies are likely to become
more transparent. Mr Tapscott and Richard Hunter, another technology savant,
may not have been exaggerating much a decade ago, when they wrote books
foreseeing The Naked Corporation and a World Without Secrets .
mcji5os1 wrote:
Feb 24th 2011 8:43 GMT
Excellent article - sums it up well in two quotes:
(1) Technology can t solve the problem, just lower the probability of
accidents, and
(2) "The best way to start reducing accidents may not be employing more
technology but making sure that staff understand the rules of the road and its
dangers.", i.e. awareness
JollyRogerII wrote:
Feb 25th 2011 12:31 GMT
Companies need to realise that all their secrets will eventually get out if
their competitors are serious enough about finding out about them whether it's
by reverse engineering or by more insidious means. The only way to avoid this
is by intellectual property i.e. patenting (which only buys you 20 years
anyways) or by hiding the innovation/ playing down its significance. The latter
route is probably easier.
robertxx74 wrote:
Feb 25th 2011 2:25 GMT
The best security is for employers to be nice to employees and treat them like
valued members of a community rather than as spare parts for their big machine.
Dave Meizlik wrote:
Feb 25th 2011 3:15 GMT
Mr. Siegele does a great job in demonstrating some of the challenges to data
protection in today s business world. Today s business is borderless: with
mobile devices, smartphones, and tablet and cloud computing. When you add in
the online social behaviors and practices of the most recent generation to
enter the workforce, you find yourselves at a crossroads, with perhaps
differing expectations and understanding of privacy and what is acceptable to
share. This is challenging organizations are today more than ever before. A
myopic approach to solving the problem can be dangerous. Shutting down access -
a natural, gut reaction - will only create more obstacles and impede an
organizations ability to operate at their peak capacity.
And though data loss over the Web is four times more likely than other types, a
balance needs to be achieved between protecting what needs to be protected,
while simultaneously allowing access to the Web tools and functions your
employees are accustomed to.
Ultimately, the key to protecting assets and establishing effective security is
to keep it simple and map to three primary points:
1. What is the data you want to protect?
2. What are your use cases for protecting it?
3. What is the value to you to protect it (to help determine investment and
priority level)?
The potential of involuntary transparency of data becomes less of a concern
when it is not critically sensitive data.
DLP, like every technology, needs to be mapped to your needs and be applied in
a holistic approach to security in order to be effective. But if the WikiLeaks
incident proved anything, it is that there is a demonstrable incentive for you
to investigate your needs and the information you need to protect, and begin
securing your sensitive assets.
You can read more on this topic here: http://community.websense.com/blogs/
websense-insights/archive/2010/12/03/
part-3-conclusion-what-the-wikileaks-org-release-really-means-for-you.aspx?
smpid=pr
RCeloto wrote:
Feb 25th 2011 4:36 GMT
Very interesting article.
I think that most organizations overestimate the importance of secrecy of
information.
I would suggest to rules of thumb for dealing with information access
management:
Rule of thumb 1: information that is not from the organization (customers,
suppliers, employees etc) should be kept secret by default. In this case,
transparency should be the exception.
Rule of thumb 2: information that is from the organization (sales, expenses,
cash etc) should be kept transparent. In this case, secrecy should be the
exception.
I find it simple and practical.