NEW YORK (TheStreet) -- Much has been written recently about the WikiLeaks disclosure of hundreds of thousands of sensitive government documents and cables.
And despite a new method of distributing such massive amounts of information in this instance (via the Web), should anyone really be surprised this happened? In fact, the whole WikiLeaks event speaks volumes about how truly un-serious the U.S. government is about security (or worse, incompetent).
This is not a new exposure area, as companies have been dealing with "data leakage" problems for years. And it's not as if there aren't lots of tools available that can track document access, allow only certain users to view/read/copy files, lock down repositories, etc. Security companies like
, and many of the major app platform vendors like RSA (a unit of
, et al., have leakage-prevention capabilities.
The government ignored these capabilities to its detriment, and we believe many organizations large and small do so as well. The WikiLeaks event sheds light on a major security issue with huge implications for enterprises and not just for government agencies. The fact is that the highest probability of data loss or exposure will result not from an outside attack, but from inside your own organization.
Right now, the government thinks the leaked documents is the work of a single person -- a U.S. Army private who was able to access millions of files and easily copy them to a CD or flash drive. And it's very likely that in your enterprise, there are many individuals who could easily access private and sensitive corporate data too, which is companies' most valuable (and private) asset.
In fact, it's amazing how lax data-access rules are in most companies, despite the many regulatory compliance requirements (e.g., SOX, HIPAA). And if someone unauthorized did access sensitive files, would your organization even know about it?
There are steps enterprises should take to avoid being the next victim ofWikiLeaks (which now says it will start releasing corporate documents as well).The most critical lesson to be learned from WikiLeaks is, trust your employees,but verify they're not doing something they shouldn't. The vast majority of employees will be ethical. But occasionally, there will be one that isn't and those are the ones organizations need to protect against.
Any assessment of corporate security/data protection policies should start with a number of questions. Does your company have written policies in place to handle sensitive documents? Have those policies been effectively communicated to employees? If your company hasn't, why not?
Are certain areas of data/files restricted? Are automated tools in place to track document access? Is the most sensitive data encrypted so it can't be exposed? Are your employees aware of the penalties for unauthorized access or copying of files? These are just some of the components of a data protection plan that companies must create.
Not having one is like leaving your front door unlocked. Of course, that doesn't mean organizations shouldn't also be protecting assets from outside infiltration over the Net. Clearly this is also a data-leakage threat and there are many reported losses of data from malicious attackers. But most companies do a pretty good job of that through implementing firewalls (e.g.,
) and effective segmentation of networks.
Few enterprises look at leakage protection as an "inside job" challenge, and that is why it is critical that companies do more to eliminate thisspecific threat. This is the biggest lesson of WikiLeaks. And if your company doesn't already have a "data leakage" prevention plan, what are you waiting for?
Jack Gold is the founder and principal analyst at
, an information-technology analysis firm in Northborough, Mass., covering the many aspects of business and consumer computing and emerging technologies.