Adverse publicity and damage to customer trust resulting from the loss of confidential information is focusing the attention of senior executives on the dangers associated with information leakage, claims a new report from the Information Security Forum (ISF).
But the report released into the public domain (www.securityforum.org) also highlights that while the term ‘information leakage’ may be new, it is a problem that organisations have had to deal with for many years.
“While there are some new factors and challenges, it is really just a new name for an old problem,” says report author Andy Jones, senior research consultant at the ISF. “For large organisations a certain level of information leakage may be inevitable through unintentional actions, rather than malicious intent. What’s important is to focus resources on identifying and protecting high value data and increasing awareness of the risks.”
Information leakage, or ‘a breach in the confidentiality of information’ can take place at any vulnerable point in a company’s security system where data is being processed, transmitted, copied or stored, according to the ISF. Human error accounts for most information breaches such as the loss of a laptop, sending a confidential email to the wrong address, or not providing sufficient protection to information in transit.
New high-profile vulnerabilities have also been introduced through the increase in high capacity storage devices such as USB keys or MP3 players and the growing popularity of social networking sites such as Facebook and MySpace. Employees can inadvertently place classified business information on these sites that may compromise someone’s identity, for example.
“Increasing risks, combined with recent high profile security breaches and the growing list of data protection and confidentiality regulations, from US breach notification laws to the Gramm-Leach-Bliley Act, have also helped information leakage reach the top of boardroom agendas,” says Jones.
The ISF briefing, normally only available to ISF members, has been released publicly to help organisations to identify specific threats and vulnerabilities that present the greatest risk. For example, data transmitted by a Virtual Private Network (VPN) has a very low degree of exposure compared to a standard internet connection or the spoken word. Storage is particularly vulnerable where data is stored on laptops, USB devices or home PCs. Printed papers are highlighted as presenting high levels of risk, but are often neglected and poorly protected.
The ISF briefing provides guidelines on how to identify and deal with, or avoid, information leakages through appropriate controls ranging from access control to laptop or USB encryption. A priority is also placed on educating and warning staff and third parties, to reduce incidents.
“Delivering the right message on information leakage is difficult and all too often is perceived as ‘we don’t trust you – therefore we will lock everything up’,” says Jones. “A balance should be established between protecting information and sharing it for business benefit. Information leakage is an old familiar problem, but it does appear to be enjoying a new lease of life.”
About the Information Security Forum
A not-for-profit international association of over 300 organisations, it funds and co-operates in the development of practical, business driven solutions to information security and risk management problems. The ISF undertakes a research programme to create a library of reports, with information risk methodologies and tools available free to ISF members. The ISF Standard of Good Practice for Information Security 2007 has recently been published and is also available free to non-members at:
