When you shy away from doing a good security implementation

Companies losing data when executives move or when insiders facilitate copying (or transfer) is a common occurrence. Corporate espionage is old school and new school practices include social engineering, hacking, trojans, key loggers etc etc. Unfortunately, it is due to lax security practices that data leaks occur.

Now we are seeing data leaks which show the lack of a Data Leak Prevention (DLP) or an Information Rights Management (IRM) security solution. Any company that has invested in building up intellectual property must use such solutions to effectively manage the risk of data leaks or breaches.

Just Dial, a company engaged in providing local information on phone across the country, has sued their competitor, AskMe.
http://news.oneindia.in/2010/01/30/data-theft-hc-asks-askme-in-to-shut-down.html


Then there is the Travelocity - Cleartrip where TC has filed a compliant against CT for data theft etc. Seems a particular Excel file was sent to CT by the ex-Managing Director of Desiya which was acquired by TC.

An IRM solution can easily make such sensitive documents unavailable to the person(s) once he/she leaves the organization and is not part of the user group.

http://www.medianama.com/2010/01/223-travelocity-accuses-cleartrip-ceo-former-desiya-md-of-data-theft/

Effective security must address people, process and technology and every security implementation does this. However, industry experience and studies show that security standards are implemented "in the letter and not in the spirit" - and sometime back this was a concern expressed by the President Obama's CIO too.

Another problem is the lack of acceptance of the risks that any organization faces due to weak implementation or waning support for continued security expenditure. For example, the budget covered the ISMS but did not provide for automation, or a solution, for security necessities like Access Management, Asset Management, Data Leak Management, Information Rights Management etc .

Decision makers and stakeholders must ensure that security is embedded into the organization DNA and that industry tools and solutions are adopted that will address risks and vulnerabilities at the fundamental or design level.

Labels: , ,