The leaky corporation

2011-03-01 06:25:20

Companies and information

Digital information is easy not only to store but also to leak. Companies must decide what they really need to keep secret, and how best to do so

Feb 24th 2011 | from the print edition

IN EARLY February Hewlett-Packard showed off its new tablet computer, which it hopes will be a rival to Apple s iPad. The event was less exciting than it might have been, thanks to the leaking of the design in mid-January. Other technology companies have suffered similar embarrassments lately. Dell s timetable for bringing tablets to market appeared on a tech-news website. A schedule for new products from NVIDIA, which makes graphics chips, also seeped out.

Geeks aren t the only ones who can t keep a secret. In January it emerged that Renault had suspended three senior executives, allegedly for passing on blueprints for electric cars (which the executives deny). An American radio show has claimed to have found the recipe for Coca-Cola s secret ingredient in an old newspaper photograph. Facebook s corporate privacy settings went awry when some of the social network s finances were published. A strategy document from AOL came to light, revealing that the internet and media firm s journalists were expected to write five to ten articles a day.

Meanwhile, Julian Assange has been doing his best to make bankers sweat. In November the founder of WikiLeaks promised a megaleak early in 2011. He was said to be in possession of a hard drive from the laptop of a former executive of an unnamed American bank, containing documents even more toxic than the copiously leaked diplomatic cables from the State Department. They would reveal an ecosystem of corruption and take down a bank or two .

I think it s great, Mr Assange said in a television interview in January. We have all these banks squirming, thinking maybe it s them. At Bank of America (BofA), widely thought to be the bank in question, an internal investigation began. Had any laptop gone missing? What could be on its hard drive? And how should BofA react if, say, compromising e-mails were leaked?

The bank s bosses and investigators can relax a bit. Recent reports say that Mr Assange has acknowledged in private that the material may be less revealing than he had suggested. Financial experts would be needed to determine whether any of it was at all newsworthy.

Even so, the WikiLeaks threat and the persistent leaking of other supposedly confidential corporate information have brought an important issue to the fore. Companies are creating an ever-growing pile of digital information, from product designs to employees e-mails. Keeping tabs on it all is increasingly hard, not only because there is so much of it but also because of the ease of storing and sending it. Much of this information would do little damage if it seeped into the outside world; some of it, indeed, might well do some good. But some could also be valuable to competitors or simply embarrassing and needs to be protected. Companies therefore have to decide what they should try to keep to themselves and how best to secure it.

Trying to prevent leaks by employees or to fight off hackers only helps so much. Powerful forces are pushing companies to become more transparent. Technology is turning the firm, long a safe box for information, into something more like a sieve, unable to contain all its data. Furthermore, transparency can bring huge benefits. The end result will be more openness, predicts Bruce Schneier, a data-security guru.

From safe to sieve

When corporate information lived only on paper, which was complemented by microfilm about 50 years ago, it was much easier to manage and protect than it is today. Accountants and archivists classified it; the most secret documents were put in a safe. Copying was difficult: it would have taken Bradley Manning, the soldier who is alleged to have sent the diplomatic cables to WikiLeaks, years to photograph or smuggle out all the 250,000 documents he is said to have downloaded assuming that he was not detected.

Things did not change much when computers first made an appearance in firms. They were used mostly for accounting or other transactions, known as structured information . And they were self-contained systems to which few people had access. Even the introduction in the 1980s of more decentralised information-technology (IT) systems and personal computers (PCs) did not make much of a difference. PCs served at first as glorified typewriters.

It was only with the advent of the internet and its corporate counterpart, the intranet, that information began to flow more quickly. Employees had access to lots more data and could exchange electronic messages with the outer world. PCs became a receptacle for huge amounts of unstructured information , such as text files and presentations. The banker s hard drive in Mr Assange s possession is rumoured to contain several years worth of e-mails and attachments.

Now an even more important change is taking place. So far firms have spent their IT budgets mostly on what Geoffrey Moore of TCG Advisors, a firm of consultants, calls systems of record , which track the flow of money, products and people within a company and, more recently, its network of suppliers. Now, he says, firms are increasingly investing in systems of engagement . By this he means all kinds of technologies that digitise, speed up and automate a firm s interaction with the outer world.

Mobile devices, video conferencing and online chat are the most obvious examples of these technologies: they allow instant communication. But they are only part of the picture, says Mr Moore. Equally important are a growing number of tools that enable new forms of collaboration: employees collectively edit online documents, called wikis; web-conferencing services help firms and their customers to design products together; and smartphone applications let companies collect information about people s likes and dislikes and hence about market trends.

It is easy to see how such services will produce ever more data. They are one reason why IDC, a market-research firm, predicts that the digital universe , the amount of digital information created and replicated in a year, will increase to 35 zettabytes by 2020, from less than 1 zettabyte in 2009 (see chart); 1 zettabyte is 1 trillion gigabytes, or the equivalent of 250 billion DVDs. But these tools will also make a firm s borders ever more porous. WikiLeaks is just a reflection of the problem that more and more data are produced and can leak out, says John Mancini, president of AIIM, an organisation dedicated to improving information management.

Two other developments are also poking holes in companies digital firewalls. One is outsourcing: contractors often need to be connected to their clients computer systems. The other is employees own gadgets. Younger staff, especially, who are attuned to easy-to-use consumer technology, want to bring their own gear to work. They don t like to use a boring corporate BlackBerry, explains Mr Mancini.

The data drain

As a result, more and more data are seeping out of companies, even of the sort that should be well protected. When Eric Johnson of the Tuck School of Business at Dartmouth College and his fellow researchers went through popular file-sharing services last year, they found files that contained health-related information as well as names, addresses and dates of birth. In many cases, explains Mr Johnson, the reason for such leaks is not malice or even recklessness, but that corporate applications are often difficult to use, in particular in health care. To be able to work better with data, employees often transfer them into spreadsheets and other types of files that are easier to manipulate but also easier to lose control of.

Although most leaks are not deliberate, many are. Renault, for example, claims to be a victim of industrial espionage. In a prominent insider-trading case in the United States, some hedge-fund managers are accused of having benefited from data leaked from Taiwanese semiconductor foundries, including spreadsheets showing the orders and thus the sales expectations of their customers.

Not surprisingly, therefore, companies feel a growing urge to prevent leaks. The pressure is regulatory as well as commercial. Stricter data-protection and other rules are also pushing firms to keep a closer watch on information. In America, for instance, the Health Insurance Portability and Accountability Act (HIPAA) introduced security standards for personal health data. In lawsuits companies must be able to produce all relevant digital information in court. No wonder that some executives have taken to using e-mail sparingly or not at all. Whole companies, however, cannot dodge the digital flow.

To help them plug the holes, companies are being offered special types of software. One is called content management . Programs sold by Alfresco, EMC Documentum and others let firms keep tabs on their digital content, classify it and define who has access to it. A junior salesman, for instance, will not be able to see the latest financial results before publication and thus cannot send them to a friend.

Another type, in which Symantec and Websense are the market leaders, is data loss prevention (DLP). This is software that sits at the edge of a firm s network and inspects the outgoing data traffic. If it detects sensitive information, it sounds the alarm and can block the incriminating bits. The software is often used to prevent social-security and credit-card numbers from leaving a company and thus make it comply with HIPAA and similar regulations.

A third field, newer than the first two, is network forensics . The idea is to keep an eye on everything that is happening in a corporate network, and thus to detect a leaker. NetWitness, a start-up company, says that its software records all the digital goings-on and then looks for suspicious patterns, creating real-time situation awareness , in the words of Edward Schwartz, its chief security officer.

There are also any number of more exotic approaches. Autonomy, a British software firm, offers bells in the dark . False records made-up pieces of e-mail, say are spread around the network. Because they are false, no one should gain access to them. If somebody does, an alarm is triggered, as a burglar might set off an alarm breaking into a house at night.

These programs deter some leakers and keep employees from doing stupid things. But reality rarely matches the marketing. Content-management programs are hard to use and rarely fully implemented. Role-based access control sounds fine in theory but is difficult in practice. Firms often do not know exactly what access should be assigned to whom. Even if they do, jobs tend to change quickly. A field study of an investment bank by Mr Johnson and his colleagues found that one department of 3,000 employees saw 1,000 organisational changes within only a few months.

This leads to what Mr Johnson calls over-entitlement . So that workers can get their jobs done, they are given access to more information than they really need. At the investment bank, more than 50% were over-entitled. Because access is rarely revoked, over time employees gain the right to see more and more. In some companies, Mr Johnson was able to predict a worker s length of employment from how much access he had. But he adds that if role-based access control is enforced too strictly, employees have too little data to do their jobs.

Similarly, DLP is no guarantee against leaks: because it cannot tell what is in encrypted files, data can be wrapped up and smuggled out. Network forensics can certainly show what is happening in a small group of people working on a top-secret product. But it is hard to see how it can keep track of the ever-growing traffic that passes through or leaves big corporate IT systems, for instance through a simple memory stick (which plugs into a PC and can hold the equivalent of dozens of feature-length films). Technology can t solve the problem, just lower the probability of accidents, explains John Stewart, the chief security officer of Cisco, a maker of networking equipment.

Other experts point out that companies face a fundamental difficulty. There is a tension in handling large amounts of data that can be seen by many people, argues Ross Anderson, of Cambridge University. If a system lets a few people do only very simple things such as checking whether a product is available the risks can be managed; but if it lets a lot of people do general inquiries it becomes insecure. SIPRNet, where the American diplomatic cables given to WikiLeaks had been stored, is a case in point: it provided generous access to several hundred thousand people.

In the corporate world, to limit the channels through which data can escape, some companies do not allow employees to bring their own gear to work or to use memory sticks or certain online services. Although firms have probably become more permissive since, a survey by Robert Half Technology, a recruitment agency, found in 2009 that more than half of chief information officers in America blocked the use of sites such as Facebook at work.

Yet this approach comes at a price, and not only because it makes a firm less attractive to Facebook-using, iPhone-toting youngsters. More openness also creates trust, argues Jeff Jarvis, a new-media sage who is writing a book about the virtues of transparency, entitled Public Parts . Dell, he says, gained a lot of goodwill when it started talking openly about its products technical problems, such as exploding laptop batteries. If you open the kimono, a lot of good things happen, says Don Tapscott, a management consultant and author: it keeps the company honest, creates more loyalty among employees and lowers transaction costs with suppliers.

More important still, if the McKinsey Global Institute, the research arm of a consulting firm, has its numbers right, limiting the adoption of systems of engagement can hurt profits. In a recent survey it found that firms that made extensive use of social networks, wikis and so forth reaped important benefits, including faster decision-making and increased innovation.

How then to strike the right balance between secrecy and transparency? It may be useful to think of a computer network as being like a system of roads. Just like accidents, leaks are bound to happen and attempts to stop the traffic will fail, says Mr Schneier, the security expert. The best way to start reducing accidents may not be employing more technology but making sure that staff understand the rules of the road and its dangers. Transferring files onto a home PC, for instance, can be a recipe for disaster. It may explain how health data have found their way onto file-sharing networks. If a member of the employee s family has joined such a network, the data can be replicated on many other computers.

Don t do that again

Companies also have to set the right incentives. To avoid the problems of role-based access control, Mr Johnson proposes a system akin to a speed trap: it allows users to gain access to more data easily, but records what they do and hands out penalties if they abuse the privilege. He reports that Intel, the world s largest chipmaker, issues speeding tickets to employees who break its rules.

Mr Johnson is the first to admit that this approach is too risky for data that are very valuable or the release of which could cause a lot of damage. But most companies do not even realise what kind of information they have and how valuable or sensitive it is. They are often trying to protect everything instead of concentrating on the important stuff, reports John Newton, the chief technology officer of Alfresco.

The WikiLeaks incident is an opportunity to improve information governance, wrote Debra Logan, an analyst at Gartner, a research firm, and her colleagues in a recent note. A first step is to decide which data should be kept and for how long; many firms store too much, making leaks more likely. In a second round, says Ms Logan, companies must classify information according to how sensitive it is. Only then can you have an intelligent discussion about what to protect and what to do when something gets leaked.

Such an exercise could also be an occasion to develop what Mr Tapscott calls a transparency strategy : how closed or open an organisation wants to be. The answer depends on the business it is in. For companies such as Accenture, an IT consultancy and outsourcing firm, security is a priority from the top down because it is dealing with a lot of customer data, says Alastair MacWillson, who runs its security business. Employees must undergo security training regularly. As far as possible, software should control what leaves the company s network. If you try to do something with your BlackBerry or your laptop that you should not do, explains Mr MacWillson, the system will ask you: Should you really be doing this?

At the other end of the scale is the Mozilla Foundation, which leads the development of Firefox, an open-source browser. Transparency is not just a natural inclination but a necessity, says Mitchell Baker, who chairs the foundation. If Mozilla kept its cards close to the chest, its global community of developers would not and could not help write the program. So it keeps secrets to a minimum: employees personal information, data that business partners do not want made public and security issues in its software. Everything else can be found somewhere on Mozilla s many websites. And anyone can take part in its weekly conference calls.

Few companies will go that far. But many will move in this direction. The transparency strategy of Best Buy, an electronics retailer, is that its customers should know as much as its employees. Twitter tells its employees that they can tweet about anything, but that they should not do stupid things . In the digital era of exploding quantities of data that are increasingly hard to contain within companies systems, more companies are likely to become more transparent. Mr Tapscott and Richard Hunter, another technology savant, may not have been exaggerating much a decade ago, when they wrote books foreseeing The Naked Corporation and a World Without Secrets .

mcji5os1 wrote:

Feb 24th 2011 8:43 GMT

Excellent article - sums it up well in two quotes:

(1) Technology can t solve the problem, just lower the probability of accidents, and

(2) "The best way to start reducing accidents may not be employing more technology but making sure that staff understand the rules of the road and its dangers.", i.e. awareness

JollyRogerII wrote:

Feb 25th 2011 12:31 GMT

Companies need to realise that all their secrets will eventually get out if their competitors are serious enough about finding out about them whether it's by reverse engineering or by more insidious means. The only way to avoid this is by intellectual property i.e. patenting (which only buys you 20 years anyways) or by hiding the innovation/ playing down its significance. The latter route is probably easier.

robertxx74 wrote:

Feb 25th 2011 2:25 GMT

The best security is for employers to be nice to employees and treat them like valued members of a community rather than as spare parts for their big machine.

Dave Meizlik wrote:

Feb 25th 2011 3:15 GMT

Mr. Siegele does a great job in demonstrating some of the challenges to data protection in today s business world. Today s business is borderless: with mobile devices, smartphones, and tablet and cloud computing. When you add in the online social behaviors and practices of the most recent generation to enter the workforce, you find yourselves at a crossroads, with perhaps differing expectations and understanding of privacy and what is acceptable to share. This is challenging organizations are today more than ever before. A myopic approach to solving the problem can be dangerous. Shutting down access - a natural, gut reaction - will only create more obstacles and impede an organizations ability to operate at their peak capacity.

And though data loss over the Web is four times more likely than other types, a balance needs to be achieved between protecting what needs to be protected, while simultaneously allowing access to the Web tools and functions your employees are accustomed to.

Ultimately, the key to protecting assets and establishing effective security is to keep it simple and map to three primary points:

1. What is the data you want to protect?

2. What are your use cases for protecting it?

3. What is the value to you to protect it (to help determine investment and priority level)?

The potential of involuntary transparency of data becomes less of a concern when it is not critically sensitive data.

DLP, like every technology, needs to be mapped to your needs and be applied in a holistic approach to security in order to be effective. But if the WikiLeaks incident proved anything, it is that there is a demonstrable incentive for you to investigate your needs and the information you need to protect, and begin securing your sensitive assets.

You can read more on this topic here: http://community.websense.com/blogs/websense-insights/archive/2010/12/03/part-3-conclusion-what-the-wikileaks-org-release-really-means-for-you.aspx?smpid=pr

RCeloto wrote:

Feb 25th 2011 4:36 GMT

Very interesting article.

I think that most organizations overestimate the importance of secrecy of information.

I would suggest to rules of thumb for dealing with information access management:

Rule of thumb 1: information that is not from the organization (customers, suppliers, employees etc) should be kept secret by default. In this case, transparency should be the exception.

Rule of thumb 2: information that is from the organization (sales, expenses, cash etc) should be kept transparent. In this case, secrecy should be the exception.

I find it simple and practical.