This is the second column in a two-part series addressing the impact of WikiLeaks on corporations. The first column discussed how "WikiLeaking" may represent a new type of information security risk and public relations threat. This column addresses how organizations can protect themselves.
Companies and other organizations need not be defenseless against WikiLeaking. Protecting against leaking is actually a records management problem of gaining control of your information before others do. There are proactive steps that can both minimize the risk of a leak or, if there is a leak, reduce the volume of documents published.
First, avoid "knee-jerk" aggressive deletion. Avoid aggressive data deletion policies that drive employees to create "underground archives." Fearful companies often adopt an "aggressive" deletion policy that requires, for example, the systematic deletion of e-mails and other documents after 30 days or less. While ongoing, defensible and balanced deletion is a good thing, this type of aggressive deletion often not only does not work, it usually creates a new problem, "underground archiving." As discussed in previous columns, when faced with aggressive deletion, many employees save their information elsewhere, including saving e-mails on USB "thumb" drives, forwarding them to Gmail or Hotmail accounts, or other hard-to-control places. A better approach is to allow employees to save in appropriate and secure archives.
Secure group file shares and other public file repositories. WikiLeaking is often driven by lone employees who can access and copy large amounts of other employees' documents. Many organizations use large, shared storage systems--group file shares--to allow employees to save both files and offline copies of e-mails. These file shares are "mapped" to make them look like an extra disk drive attached to the employees' desktop computer systems. While these storage systems have the capability to enforce controls such that an employee can only access his own data, we often see these systems deployed with none of these access controls implemented. Nearly all file storage systems have access controls--use them.
Control and secure your backup tapes. No single "portable" storage medium has more documents from more employees than backup tapes. Nevertheless, it is amazing how casual companies seem to be in securing them. I heard of one IT professional who thought it perfectly acceptable to store offsite copies of his company's backup tapes in his garage at home. Secure backup tapes appropriately.
Consider data loss prevention technology for sensitive information. Data Loss Prevention (often referred to as DLP) is a type of software that "locks down" data from being transmitted outside the organization, including, for example, disabling employees from copying to data to USB drives. DLP is an effective complement for a data management strategy and should be considered for data stores containing sensitive or privacy-related information.
Update employee data policies and train to them. Review and update the data usage policies in your employee manuals and ensure they explicitly cover proper use and handling e-mail and other corporate data. Once in place, conduct initial and yearly employee training on the proper use and control of corporation information systems. What in-house counsel may view as obvious--company e-mails belong to the company, not the employee and may not be published elsewhere--some employees still mistakenly believe they own their own e-mails. Train, train, train.
At this point it is difficult to tell how much of a threat WikiLeaking represents for companies. Yet it is not too early to start thinking about what can be done to reduce this risk.
This is part 2 of a 2-part series.