“While there are some new factors and challenges, it is really just a new name for an old problem,” says report author Andy Jones, senior research consultant at the ISF. “For large organisations a certain level of information leakage may be inevitable through unintentional actions, rather than malicious intent. What’s important is to focus resources on identifying and protecting high value data and increasing awareness of the risks.”
Information leakage, or ‘a breach in the confidentiality of information’ can take place at any vulnerable point in a company’s security system where data is being processed, transmitted, copied or stored. Human error accounts for most information breaches such as the loss of a laptop, sending a confidential email to the wrong address, or not providing sufficient protection to information in transit.
New high-profile vulnerabilities have also been introduced through the increase in high capacity storage devices such as USB keys or MP3 players and the growing popularity of social networking sites such as Facebook and MySpace. Employees can inadvertently place classified business information on these sites that may compromise someone’s identity, for example.
“Increasing risks, combined with recent high profile security breaches and the growing list of data protection and confidentiality regulations, from US breach notification laws to the Gramm-Leach-Bliley Act, have also helped information leakage reach the top of boardroom agendas,” says Jones.
The ISF briefing, normally only available to ISF Members, has been released publicly to help organisations to identify specific threats and vulnerabilities that present the greatest risk. For example, data transmitted by a Virtual Private Network (VPN) has a very low degree of exposure compared to a standard internet connection or the spoken word. Storage is particularly vulnerable where data is stored on laptops, USB devices or home PCs. Printed papers are highlighted as presenting high levels of risk, but are often neglected and poorly protected.
The ISF briefing provides guidelines on how to identify and deal with, or avoid, information leakages through appropriate controls ranging from access control to laptop or USB encryption. A high priority is also placed on educating and warning staff and third parties in order to reduce incidents.
“Delivering the right message on information leakage is difficult and all too often is perceived as ‘we don’t trust you – therefore we will lock everything up’,” says Jones. “A balance should be established between protecting information and sharing it for business benefit. Information leakage is an old familiar problem, but it does appear to be enjoying a new lease of life.”