Plug internal data leaks with an effective IG program.

• Author: Phillips, John T.
• Position: Cover story

Increasingly, employees are selling the "crown jewels" of their organization's proprietary information for a pittance. Organizations are scrambling for ways to reduce, if not eliminate, these internal threats. An effective information governance program can help.

Today's information security dangers while "surfing the Internet," downloading applications to smartphones, and opening e-mail are well-known. Organizations expect network hackers, data thieves, scam artists, and phishers to act from external sources. But, the unsettling truth is that data breaches often originate from individuals who operate from within.

New Technologies Not Always the Solution

Because organizations have used IT-based systems for more than 30 years, it would seem that common data protection mechanisms would protect them from data breaches. Although technical solutions like increasing network firewall capability or implementing better user access control systems might have addressed security risks in the past, today's environment is more challenging. Trends like employees using social media and their own devices for business produce evolving risks, making it more and more difficult for IT to address them.

Buying sophisticated new technologies is not necessarily the answer, either. Buying a new solution to control every new technology that enters the market or respond to information trends will break almost any IT department's budget. And many, if not most, security technology solutions today focus on external threats rather than risks that are embedded in every organization that has employees.

Unfortunately, such measures as data archiving, log-on procedures, disaster planning, and data encryption are not sufficient safeguards if employees fail to rigorously and properly practice them. Indeed, in Information Week's "2013 Strategic Security Survey" report published last June, 42% of respondents said "enforcing security policies" was their biggest information security challenge. (See Figure 1.)

One respondent said, "Shops doing security right have moved away from gimmicks to analyzing the core of every other business discipline: people." Further, 54% of respondents said that end-user security awareness training was their "most valuable security practice." (See Figure 2.)

Insider Threats Are Difficult Challenges

It was once possible for IT to focus most of its data security activities on the detection of inappropriate intrusions into computer networks based on external Internet protocol (IP) addresses or inappropriate data traffic on computer networks at certain times of the day. Today's mobile workforce and 24x7 workdays have made those parameters of network security less relevant.

IT departments dealing with huge volumes of data traffic must differentiate risks that occur from outside an organization from those that occur from within because internal breaches can pose much larger threats. Two recent high-profile cases illustrate this enormous...