Last week, experts told the US Senate it was time to assume that American military networks have been breached and that ramping up traditional fortress features like firewalls, AV and gateway devices was effectively a waste of time. Dr. Kaigham Gabriel, head of the Defence Advanced Research Projects Agency, compared current information and network protection efforts to treading water in the open ocean; all that blocking and locking did was slightly delay the inevitable.

This reality check dovetailed rather nicely with the release of Verizon’s annual Data Breach Report for 2012, which found that hacking was linked to almost all of the 855 incidents and 174 million compromised records the company investigated in 2011. Malware featured in 95 per cent of all stolen data incidents.

Hacking and malware have been exchanging places in the top three causes of data breach for years now. While there are plenty of tools out there doing a fine job of removing known threats using established methodologies, it’s becoming abundantly clear that this, on its own, is not enough to protect valuable information assets from falling into the wrong hands.

The reality is that focusing on inbound threats is outdated. As Dr. James Peery, head of Information Systems Analysis Centre at the Sandia National Laboratories in the US puts it, “We’ve got the wrong mental model here.” It’s time to focus on the content, not the threat; controlling access is all well and good, but protecting information is paramount.

If there’s one thing that the Data Breach Report underlines, it’s the reality that data theft and leakage come in a variety of flavours and vectors. Traditional, threat-focused methods are the equivalent of shooting in the dark. In today’s environment, it makes far more sense to protect your content and monitor it in the context of how you need to do business.

Knowing where and how your information is used and understanding the context within which users communicate empowers you to extract maximum value without putting information at risk.

Letting AV and threat-detection policies define your information protection stance is not only outdated, as 2011’s data leakage statistics suggest, it cannot protect your data. It’s time to stop treading water and start swimming.

Nick Peart

American companies with 1000+ employees each hold more data than the U.S. Library of Congress; approximately 293 billion emails are exchanged globally every day while Facebook users share 30 billion pieces of content every month.

No one said information management and protection was easy. It’s human nature to want to break things down into more manageable pieces, but reducing data control and protection to an inbound threat issue is a classic case of shooting alligators when what you’re really there to do is drain the swamp.

Managing information in today’s business environment has become increasingly complex: Data leakage is a critical issue for CIOs. Companies are hitting the headlines for all the wrong reasons, and human error is one of the biggest culprits. With many organisations focusing on in-bound threats, there’s a genuine risk that vulnerability inside company walls will be overlooked. As Deloitte’s 2011 Global Security Survey has pointed out, ‘external attacks get most of the headlines, but internal security risks are just as onerous.”

It’s time for a new angle on content control.

Communications tools like email and social media have become an almost reflexive thing for end users – combined with easy access to sensitive information, it’s a heady mix that can spell trouble for those charged with preserving the integrity and security of data. Stopping and blocking might seem like the easiest route to take, but this doesn’t reflect the realities of the way we communicate and do business today. To really protect organisational IP and other high-value information assets, monitoring the data leaving the network is just as important as watching what’s coming in.

There’s no patch for irresponsible or careless behaviour, but you can control the consequences. Technology that recognises the difference between an innocent Tweet and potentially damaging data sharing can be automated to prevent users from engaging in risky behaviours without cramping their style as ambassadors for the company brand online. Similarly, context-aware content controls can help guard against accidental data leakage via email – either through automating the decision to encrypt any data that meets specific organisational requirements or inserting an extra “Are you sure you want to send that?” step into the email process when certain kinds of information are being shared.

As companies increasingly understand that inside risk is as serious a concern as outside threats, context-aware content management plays a key role in ensuring that threat doesn’t impede your capacity to communicate and get on with business. Tackling the obvious risks – i.e. shooting alligators – without addressing the broader issues of information explosion and human error (the swamp) is setting yourself up for failure. Sooner or later, you’re going to run out of bullets. And the swamp will still be there.

Alyn Hockey

If Metcalfe’s Law shows that the value of any communications network increases in direct proportion to the number of connected users, Murphy’s Law suggests it’s only a matter of time before one of those connected users does something to compromise the integrity of the information being exchanged.

One significant lesson to be learned from any data breach incident is the high cost of human error. In too many cases, failure to comply with information privacy legislation or the leaking of sensitive data boils down to any organisation’s capacity to get a firm grip on exactly who is handling their data – and why.

Incredible as it may seem, many organisations seem to have tighter control over the processes for re-stocking their global stationery cupboards than they do for how, when, why and by whom sensitive information should be used and shared. Small wonder, then, that CompTIA’s IT Security in the Workforce study found that one in five organisations say they ‘definitely’ experienced sensitive data loss in 2011, with 32 per cent saying it was ‘likely’ that they had done so.

Nailing down all your company’s information seems like an onerous task. But there are simple steps any organisation can take to reduce the risk of human error without shutting down communications. In the case of misdirected email – a leading cause of data leakage - organisations can use deep content inspection and true file type analysis to establish the sensitivity or integrity of any information before allowing it to be exchanged. Based on company-defined policies and settings, certain types of information can be encrypted automatically, without requiring any intervention by the user.

Organisations can take the extreme approach of configuring email gateways to quarantine all outbound email, forcing users to think twice before and after they’ve hit the send button. Or they can inject flexible controls into the equation and only quarantine mails that match specific criteria, such as those with attachments, messages containing credit card numbers or going to certain addresses. By diverting potentially sensitive content to a personal message manager portal, senders can review messages, releasing them only when they’re absolutely certain it’s appropriate.

These approaches do add an extra step to the email sending process, but it’s a short one and the payoffs in terms of data protection are significant. As the UK’s Information Commissioner’s (ICO) head of enforcement, Stephen Eckersley, has said, “One of the most basic rules when disclosing highly sensitive information is to check and then double check that it is going to the right recipient.”

Just this week, it was revealed that the ICO has issued over £1m in fines for data breaches since April 2010. New EU directives on data privacy will see penalties of up to 2 per cent of global annual turnover for organisations that breach data regulations. Globally, some of the world’s most respected brands have found themselves in the spotlight for all the wrong reasons; financial penalties aside, the reputational damage that follows in the wake of a data breach can linger long after any fine has been paid.

That’s a heavy price to pay for an errant click of the ‘attach file’ or ‘send’ button.

Nick Peart

News of a data breach at the UK’s Scotland Yard has pushed the issue of data management and control back into the public eye. The Yard admitted accidentally sharing the personal email addresses of more than a thousand crime victims with other victims on its database. It was an easy mistake to make: In the course of sending a survey to 1,136 people, email addresses were entered in the wrong box, making them visible to all recipients.

In a worst case scenario, the maximum penalty for a data breach in the UK is £500,000.

No one sets out to lose data, but a glance at some of the most recent incidents reveals a common thread: human error. At a time when organisations across sectors are under increasing pressure to adhere to the often competing demands of transparency, cost-effectiveness, privacy and collaboration, data leak incidents are in danger of undermining reputations, brands, revenues and effective business strategies. It’s a high price to pay for an accident and if government privacy agencies are increasingly less forgiving of mistakes, customers – both existing and potential – are even less tolerant. According to research undertaken by the Ponemon Institute in October 2011, data leaks cost a minimum loss of 12 per cent in terms of brand damage; in some instances, this rose to an almost 25 per cent loss of brand value as a direct result of a data leak incident. As I’ve said, it’s a high price to pay for an accident that could easily have been prevented.

Data leak prevention, Web and Email Gateways and strong, flexible policy-based encryption work in tandem with effective education and management policies to reduce the potential for costly human error. Encryption and decryption, for example, can be performed automatically and centrally within flexible policy parameters and without the need for user interaction.

This doesn’t mean limiting end user ability to share and communicate – recognising the content is important, but so too is the ability to apply context to the data before making the decision to encrypt whether or not the end user selects that option.

It’s all about striking a balance between risk and real-world working requirements – and making sure that human error doesn’t get in the way.

Alyn Hockey

Faced with increased penalties and significant reputation damage for serious data or information compliance breaches, it’s hardly surprising to find data protection topping TechTarget's list of enterprise IT priorities in 2012.

Challenging times lie ahead for organisations that don’t adapt to the new risks and opportunities that come with new ways of communicating but organisations that focus only on network security risk taking their eye off the ball. IT consumerisation, smart device proliferation, web-based services and workplace mobility all call for a data-centric approach to information management and protection.

Information is only as good as your ability to use it effectively; organisations looking to achieve high-quality data protection need to know, manage and understand the value of all the data entering and leaving their networks, as well as how it’s being used and by whom. The organisations that meet this challenge will be the ones that are most able to make effective use of their data while mitigating the risks inherent in information exchange.

To this end, more traditional, network-based data protection approaches should be implemented in tandem with contextual information management systems. This allows organisations to simultaneously control and empower their data without impeding its flow. Stopping and blocking might seem like the easiest route to take, but it simply isn’t up to the task and doesn’t reflect the technological realities of the way we do business today – or in the future.

Alyn Hockey

With various retail bodies reporting a recession-busting increase in online Christmas sales this year, there’s a good chance your employees are scoring some of their best deals from the office desk.

To be fair, figures from Sage Pay suggest it’s all happening over lunch time, but it does underline the blurring line between home and work life that our WorkLifeWeb research has been picking up in recent years. Employees increasingly expect to be trusted to undertake personal tasks at work – and our research shows that blocking personal browsing or social media use in the workplace has the unwanted side-effect of eroding employee job satisfaction and sense of trust.

The really interesting thing is that while most organisations cite security concerns as a key driver behind blocking web access, many studies have found that blocking can expose organisations to greater vulnerability, as employees look for ways to circumvent the rules, either by using their own, unsecured devices or finding workarounds for acceptable usage policies.

It doesn’t have to be that way. Flexible policies help businesses to solve the security-communications dilemma, allowing them to give staff the kind of web access they need without having to worry about data loss or brand damage. Highly granular policies mean companies can allow employees to access Facebook, Twitter, LinkedIn , YouTube or any other web site without having to worry about them posting damaging or sensitive information or downloading malware, spyware or other web-based nasties - such as the pre-Christmas phishing sites masquerading as popular stores that seem to multiply at this time of year.

Evolving technologies, business and employee needs are forcing organisations to re-think their data security strategies. Flexible policies can help find the right balance between open communications and strong security without undermining employee relations.

Richard Turner

With cybercrime now one of the top four economic crimes facing governments and companies globally and a quarter of all economic crime committed in the past year cyber based, the need for greater information security strategy and awareness has never been greater.  

The UK Government’s recent announcement of strategies and initiatives to safeguard critical infrastructure and systems is a welcome indicator of the shape of things to come, as information security climbs rapidly up the corporate and government agenda. The UK Government's announcement of a pilot programme to bolster co-operation between state and private information security professionals, along with the proposed establishment of a cyber crime unit within the National Crime Agency by 2013 are very welcome developments.

Today, key industry figures have gathered in London for the Cyber Security Summit . At a time when the online rules of engagement are changing, governments and businesses around the world are looking to meet challenges head-on, it's clear that the information security market is set for significant growth over the coming years. Exciting times lay ahead for the industry and Clearswift is very excited to announce the beginning of a new chapter for us, following our acquisition by mid-market growth investor Lyceum Capital.

The deal will allow Clearswift to increase our focus on content-aware security solutions as well as broaden our software range, acquire further technical capabilities and develop our geographical reach.

As part of this new chapter, we welcome highly experienced software entrepreneur and former CEO of IRIS Software, Martin Leuw as our new Chairman. Under Martin's leadership, IRIS grew in value from £30m-£500m in 10 years, transforming it into one of the UK's largest privately-owned technology companies. Martin is joined on our board by Lyceum Partners Jeremy Hand and David Harland.

Clearswift will be gaining some excpetional experience and knowledge to support the business through the next phase of growth and we're looking forward to a bright future. Our heritage in content inspection and flexible policies, backed up with excellent service, makes us exceptionally well positioned to meet customer needs in a world where social media and web technologies are rapidly transforming the way we all do business.

Full details are available here

Richard Turner

I read a fascinating fact last week. Apparently 90% of the world’s data has been created in the last two years alone.

Incredible. But actually not as surprising as it first appears when you think about the massive growth in online and social networking over recent years. As a widely adopted consumer trend, such technologies have inevitably infiltrated the business world; becoming a highly valuable and living, breathing part of many organisations.

But this data overload presents its own challenges. A recent article in Computer Business Review discussed the needs of a company’s marketing department regarding social media access. The marketing department is often one of the biggest supporters of social media in the workplace; at its most basic level it provides an ideal platform to engage with a wider range of customers and contacts. But at the same time marketing can also be the department with the most challenging task, ensuring the company’s reputation and brand are safeguarded and protected.

Flexible policies combined with security technology can go a long way towards helping address these issues. Overarching stop and block policies for social media not only cut off a valuable way of communicating with customers, partners and, of course, colleagues but it also prevents some departments from carrying out their roles to their fullest potential.

Flexibility is the key to social media success for businesses. It supports productivity, maintains staff morale and also helps ensure that where there are instances of malicious or accidental data leakage, safeguards are in place to protect the brand.

Flexibility is often needed on a department by department basis. Clearswift solutions allow for rules to be tailored right down to employee level and it’s even possible to enable time quotas and rules for specific websites and services. This allows individual departments, such as the marketing team, the freedom to allow communication in precisely the way they need while maintaining administrative simplicity.

If businesses are to capitalise fully on the benefits of social media, they must adopt a flexible policy approach that goes hand in hand with investment in staff training and education around acceptable use and information security issues. Too often, policy is only ever referred to when something goes wrong – when it’s too late. Staff across the whole of the business must be fully aware of policy, understand the rules and, most importantly, why those rules exist.

Nick Peart

With 91 per cent of businesses leaders saying security concerns are hindering new technology adoption , it’s interesting to note Gartner’s recent call for increased flexibility and adaptability among CIOs struggling to cope with the consumerisation of IT in the workplace.

As CIOs face mass mobility and a proliferation of employee-owned devices in the workplace, Gartner analysts are saying that, rather than stick your head in the sand and hope the challenges go away, it’s time for companies to accept reality and adapt their security policies to deal with it. Gartner vice president Nick Jones has said that CIOs need to ‘explore new ways to provide, fund and manage mobile devices to allow employees more choice and support BYO (‘bring your own’) programmes.’

Faced with the inevitable, Gartner envisages four possible management styles emerging among CIOs attempting to deal with consumerisation: Control-oriented, choice-oriented, innovation-oriented and hand-off. Of these, the ‘innovation oriented’ approach resonates the most with me: According to Gartner, organisations taking this approach empower users to exercise more control over their devices and applications, using strong policy orientation to ensure responsible behaviour. Business doesn’t wash its hands of responsibility for critical issues; it does, however, foster a usage philosophy under which policy dictates technology, not the other way around.

Education and communication play key roles in achieving this mentality. Rather than operating at a remove from the rest of the business, CIOs should engage with and work with staff, proactively educating them about the risks associated with device proliferation – and facilitating the behaviour changes needed to make things work securely. Blocking won’t make the challenges go away, but will ensure you never really find solutions that work for your business.

Policy, not policing will allow those 91 per cent of business leaders to truly innovate and evolve in step with emerging technologies and services.

Nick Peart

It’s not that long since I wrote a blog post bemoaning Australia’s privacy laws as ‘toothless tigers’, pointing to our country’s lack of mandatory disclosure legislation as an ongoing challenge for information security. As such, I welcome Home Affairs Minister Brendan O’Connor’s recent announcement that disclosure and privacy reforms could be fast-tracked - if the department was presented with evidence that enterprise information security was inadequate. For all that, I’ll be keeping the bubbly on ice for the time being...

While I do welcome the prospect of reforms that feel like they’ve been in the discussion stages forever finally seeing the light of day, you have to question the adequacy of a process that calls on those with the most to lose to own up to their failings so you can expedite the process by which they’ll be penalised.

The Australian Law Reform Commission first published its recommendations for data breach notification legislation back in 2008. And with public consultation for the privacy reforms ending on November 3rd, it’s hard not to be cynical and wonder whether we’re looking at another long period of talk with little in the way of action. Meanwhile, SC Magazine reports that security specialists claim the scale of Australia’s data theft problem goes well beyond anything our government or even the local media know about.

Australians were first asked to consider whether privacy was a legal right back in 1937. On that occasion, Chief Justice Latham said that “Any person is entitled to look over the plaintiff’s fence and to see what goes on in the plaintiff’s land. If the plaintiff desires to prevent this, the plaintiff can erect a higher fence.”

All well and good when few homes had even a telephone, but in a digital age, it’s increasingly difficult for individuals to erect higher fences around all the personal data they’re obliged to submit for even the simplest of day-to-day tasks. Financial services verification routinely involves the furnishing of further identifying details, from passports to driving licences, place of work, payroll numbers, even your mother’s maiden name. And while logic says the onus for building adequate fencing around that data lies with the organisation that holds it, the law suggests otherwise – and the absence of any clear mandatory penalty underlines a highly unsatisfactory state of play.

While we’ve been strolling towards a solution, it’s not only technology that’s outstripping us; other countries and regions such as the EU and US have implemented some major changes in recent years, where prompt responses and fines for data breaches are the standard minimum requirement to keep organisations of all kinds on their toes.

Data breaches are, sadly, inevitable. It’s impossible to prevent an employee from accidentally leaving sensitive paperwork on public transport, for example. But there are still some practical solutions. In the first instance, it’s important that legislation is in place; after that, it’s ultimately up to businesses to take responsibility for themselves by taking practical steps to educate employees and create visible security across the organisation. Businesses should apply visible security strategies, informing users of policies, using tools to remind staff of what constitutes a breach and enabling managers to get a better handle on their data and where it is.

Businesses in Australia are playing their part, but more certainly needs to be done when it comes to legislation and education. As of April this year, twice as many breaches were reported compared to 2010. The law needs to be reinforced and reviewed to accelerate post-breach actions so that companies can take responsibility and put solutions in place. The time for talk has passed.

Phil Vasic