Data Security in the Age of WikiLeaks
Ruppin, Adi, Risk Management
Compliance has been key in driving companies to invest in digital security. But does heightened compliance always protect sensitive data? In many cases, the answer is no.
One need not look any further than the latest WikiLeaks incidents in which hundreds of thousands of military logs and state department cables were leaked. But WikiLeaks is only one example in a series of incidents in recent months. Transportation Security Administration screening manuals have been posted online, Major League Baseball financials were published and Apple's iPod specs were exposed ahead of time.
Whether you need to comply with HIPAA, Sarbanes-Oxley (SOX) or any other regulations, it is now clear that compliance can be achieved without providing true protection. In fact, compliance is sometimes used as a fig leaf, covering a lack of real document security.
Standard security tools and practices largely deal with controlling the flow of personal information or corporate financials. But while covering some areas, they leave others untouched. For example, take the recently updated Payment Card Industry Data Security Standards that all merchants accepting credit and debit cards must abide by. To achieve compliance, many businesses have used data loss prevention systems to prevent leakage of credit card information and financial data. But these solutions frequently reside at the company's gateway (i.e., between the internal network and the outside world) and cannot prevent the leakage of the same data from an individual outside of the enterprise perimeter.
So, what seems good on paper does not necessarily provide a complete solution. This is because the tech environment has changed in three key areas. First of all, mobile workers are more pervasive. …