I recently read an interesting blog post by Bill Blake of eDocument Sciences, while it made for fascinating reading there is an irony to it, because a lot of organisations do not fully know the extent to which they are exposed to corporate espionage. Some organisations think that they are too small to be spied upon, while others cannot imagine the possibility of being spied upon, but all this does not really matter because unless the organisation takes the necessarily takes the right steps to protect their confidential data it is still vulnerable, and once vulnerable it impacts the net worth of the organisation.

Read More

I just read an interesting artcicle on eWeek titled “How to Prevent Data Security Leaks Caused by Human Error” by Angel Mehta, the chief executive officer at Sterling-Hoffman Executive Search. Angel is an advocate for Enterprise Rights Management and explains why he has deployed this tool in his organisation to prevent data security links caused by human error, make sure that you read the turning point for Angel under a case for ERM. As an idea, it will be good for executives considering Enterprise Rights Management to link up with him for advice so they can get a thorough understanding of how to best deploy this security tool and whether it is the right tool for their organisation.

To access the full article click here

As a side note: The eweek website is typical example of how not to design a website, the clutter from ads and other information placed on this website is just unbelievable, I think eweek could learn a few lessons from Google, Bing etc on how to design a good website.

Oracle Information Rights Management Separation of Duties

This video presentation by Simon Thorpe demonstrates how Oracle IRM can allow IT to take control over the creation and definition of IRM classifications whilst allowing the business to manage them. This clear separation of duties is one of the important aspects of the Oracle IRM solution.

A few weeks ago I referred in one of my blog posts that Gartner has had its radar on Enterprise Rights Management. I also mentioned in my post that I will review the 2 most recent papers on Enterprise Rights Management, and that is what I intend to do here by reviewing the first paper published in May this year.

Enterprise Digital Rights Management by Eric Quellet is a must read paper for any organisation that is considering Enterprise Rights Management. It helps decision makers consider the implications of using Enterprise Rights Management to protect its intellectual property and how best to implement it. Eric starts of with the latest key findings about this security tool in which he refers to the proprietary nature of current EDRM solutions to which there are no industry wide standards. This has benefits from my perspective because it drives innovation for EDRM to become more user friendly and help reduce the total cost of ownership. There is something inherent about standards that slows the pace of innovation and development.

Read More

In line with what many IT and security analysts have been predicting Seclore Technology a major player in the Enterprise Rights Management* (ERM) marketplace and Websense a leading Data Loss Prevention (DLP) solution provider have teamed up to provide an integrated solution that will help organisations protect their intellectual property and confidential data, as well as lower the total cost of ownership.

The integrated solution will enable companies to reduce the application of manual rights, as well as reduce cost and complexity, and ensure that policies are applied consistently and pervasively. As a result, customers will be able to automatically discover, tag, and protect confidential information within and outside of the enterprise.

Read More

In today’s world cyber-criminals are becoming more and more sophisticated. They know that businesses keep all kinds of confidential and sensitive data on their computer systems. From Intellectual property to product designs, strategy documents, specification documents, customer records and bank details, all these have the potential to be monetized once accessed. A recent case is Daniel Houghton a rogue MI6 agent who wanted to sell confidential documents to the Dutch intelligence services for £2M GBP ($3M USD)

Through Trojans and other forms of malware, a cyber-criminal can access business data indefinitely and undetected. This provides the criminal with an illegal revenue stream for long period. 72 percent of British companies with 50-500 staff suffered an average of 15 incidents a year. Apart from this employees make honest mistakes in the way they handle confidential data, and example is sending an email to the wrong recipient, see the Eli Lilly example.

IT security today has to extend beyond perimeter security i.e. erecting a firewall. The question is not if your firewall is breached, but when it is breached what measures have been taken to prevent criminals getting at your core company data. Endpoint security is core to any organisation that wants to make sure its confidential data stays within the business.

Enterprise rights management (ERM) software is an endpoint tool that manages and enforces information access policies and use rights of electronic documents within an enterprise; its development has been predicated on digital rights management (DRM) technology. Digital rights management (DRM) was developed to provide a systematic approach to copyright protection for digital content, generally by means of a suite of software employing the following technologies: identity/role management, privilege management, tamper-detection, cryptography and persistent security. Using Enterprise rights management, creators of digital content may assign rights to future users to take subsequent actions on that ERM-protected content (e.g., opening, printing, editing, copying, or forwarding the content).

2010 has seen an increase in uptake of enterprise digital rights management and analysts from Gartner, Forrester and Aberdeen are optimistic about the growth trends over the next 5 years. Many organisations are beginning to realise they can no longer effectively control and manage their security perimeter and are moving their data security to endpoints. This is a responsible move, and will gain popularity over the next decade now that the cost barriers are falling with a simple and effective installation costing as low as $6,000.

When I read that a former Ford product engineer had stolen over 4000 confidential documents containing trade secrets from his former employer, I began to wonder how many companies out there are as vulnerable to the same degree as Ford. Fortunately for Ford this employee got caught, but it remains unknown how many employees have successfully got away without Ford’s knowledge?

An extract from the article reporting the story writes “Xiang Dong Yu, a.k.a. Mike Yu, 47, of Beijing is charged with theft of trade secrets, attempted theft of trade secrets and unauthorized access to a protected computer”. This fascinates me. What is an unauthorized access to a protected computer? Is this not an oxymoron? If a computer is protected, I assume it is protected to keep prying eyes out. In the US an unauthorized access to a protected computer charge carries a maximum penalty of five years and a $250,000 fine, but this is not really a deterrent because many employees do not know or are ignorant of the consequences of their actions.

A protected computer of this nature should have the highest level security on it, for example:

1. When logged into it should notify the administrator of who logged into that machine, when, where and why? The system should also show a log of all activities on the computer.
   
   
2. Every single file on that protected computer should be encrypted with enterprise digital rights management software to ensure that even if the computer is hacked the files cannot be decrypted. Failed attempts to access these files could be logged and location identified if you need to get the police involved.
   
   
3. Disable all the access ports that could facilitate the data on the protected computer from being downloaded or uploaded.
   
   
4. Where downloading has to be allowed, this should also be logged and presented in form of a daily, weekly and monthly management report to see if there are possible trends of confidential data being used illegally.
   
   
5. There are other things that could be done like encrypting the hard disk during none core hours, i.e. out of office hours.

Theft of data on such a magnitude should be detected immediately and not after a prolonged investigation when the damage is already done. I want to believe that Ford could have done a great deal more to protect its intellectual property. In this day and age it is puzzling how a single person can steal over 4,000 confidential documents and go undetected until he has left the company.

Where confidential data is stolen by an employee and no immediate action is taken, you can guaranteed the damage is already done, if she or he walks out of the door. I do not believe businesses and organisations should be forced to protect their information assets under some sort of legislation, but they need to be more responsible to protect their data employing the best security and data protection tools on the market.

We live in the information age, and information is rapidly becoming the most valuable commodity in the market ready to be traded to the highest bidder. With the rapid growth of digitization in our lives, organisations and businesses will see their rise or fall based on the extent taken to protect their intellectual property and confidential data.

Human beings by nature are inquisitive and there will always be the temptation to pry into unauthorised confidential information. At the same time organizations must be able to control the viewing, movement and usage of sensitive data to prevent inappropriate distribution or leakage. In a recent news article a survey carried out by Cyber-Ark global survey claimed that 41% of IT pros admit to snooping on confidential information.

The research also confirmed that snooping continues to rise within organizations both in the UK and the US. Forty-one percent of respondents confessed to abusing administrative passwords to snoop on sensitive or confidential information – an increase from 33 percent in both 2008 and 2009. When examining the information that people were willing to circumvent the rules to access, US respondents targeted the customer database first (38 percent versus 16 percent in the UK) with HR records most alluring to UK respondents (30 percent versus 28 percent in the US).

When it comes to confidential information in unstructured format it is imperative that business takes responsibility for securing such information. Information Rights Management needs to be managed and administered by business and not IT, this rules out the possibility of unauthorised access. In addition to encrypting each document or email, access to these documents are logged giving the data owner a full audit trail. Information Rights Management prevents staff from accessing information that is not relevant to their role.

Smart and best-in-class organizations are beginning to realize the benefits of using Information Rights Management. Typical deployments for these organizations can vary from 3 days to 3 months, with exceptional deployments lasting between 6 months and a year, these tend to be global deployments across multiple departments with a high element of integration or customization. The best way to get started is to ask for a proof of concept to see whether Information Rights Management meets your requirements.

For additional information on how to get started with Information Rights Management you can access Gartner’s latest publication called “Key Selection Criteria for Enterprise Digital Rights Management Solutions” by Eric Ouellet and Ray Wagner

Reference:
Help Net Security - 41% of IT pros admit to snooping on confidential information