You might find the following numbers frightening -- but probably for the wrong reasons.
According to a recently released survey by the security company SpectorSoft (registration required), more than half the enterprise respondents have discovered that "employees are using company-issued devices to send various types of company information to personal email accounts and cloud-based file-sharing accounts such as Box, DropBox or YouSendIt." More specifically:
- Thirty-three percent of employees transfer corporate information via personal Yahoo and Google email accounts.
- Twenty-three percent of employees transfer corporate information using Box, Dropbox, or Hightail (formerly YouSendIt).
- Twenty-eight percent of employees transfer corporate information using USB storage devices.
- Forty-four percent of the time, insider-driven breaches include intellectual property, business plans, technology designs, mergers and acquisitions information, and other information that corporate policy says should not be sent outside the organization.
In other words, most of you have employees breaking those IT policies you've set to protect your company from data breaches -- and some of those employees are willfully trying to do your company harm.
But you knew that already, didn't you? Let's look at these numbers another way. Maybe your IT policies are lousy. Or maybe the technology you offer employees isn't enough to suit their needs. Or maybe your company's work culture is dysfunctional. Or maybe all of the above.
Everyone in the E2 community is familiar with the myriad security threats associated with personal email, file-sharing sites, and portable storage media. USB sticks can be lost. Unapproved third-party web-based services can't be secure, and, of course, all these tools are used by nefarious insiders to ferret sensitive proprietary information out of the company.
But those tools are also used by people who are just trying to do what their bosses ask. If companies expect employees to be reachable at midnight on a Saturday while they're vacationing on a remote island, then they also have to expect those employees to use their personal email accounts on their personal devices to do so. If companies expect giant video files or databases to make it from the New York office to the San Francisco office in a few minutes instead of a few days, then they have to expect employees to use file-sharing services to do quick uploads and downloads.
If we didn't ask so much of our employees, maybe they wouldn't need to use these tools we fear so much.
Mike Tierney, SpectorSoft's vice president of operations, agrees that it's a sticky wicket, and that striking the right balance between security and productivity is hard to do with technology alone. He told me he's a big fan of data loss prevention (DLP). "But the challenge of DLP is that it's content aware but not context aware."
Tierney presented a hypothetical example: A member of the sales staff emails a complete client list and detailed sales report to a Gmail account. The immediate response of a DLP tool or any IT security person is to wave a big red flag and declare that this salesperson is deliberately leaking proprietary information, possibly to a competitor. There's no doubt the company would move quickly to fire that salesperson.
However, what if you learned that the vice president of sales was at an important meeting on the other side of the country somewhere? What if you learned that the vice president was having technical difficulties that blocked his access to anything on his corporate network, including email, sales reports, and client lists? What if he called his staff member and told that person to send those documents to his personal Gmail account right away?
Put into context, one can see that both the person sending the message and the person receiving it were simply trying to do their jobs and respond to an emergency. Would you still want to fire that salesperson who broke corporate IT policy -- or the vice president who asked him to do it?
SpectorSoft's newest product, Spector 360 Recon, may help provide that context when necessary. Tierney calls it "passive monitoring" -- essentially the collection and storage of logs. Though regular end users do not have authorization to access the logs, the logs are stored on the users' hard drives, not a central location -- so they're reviewed only when the company believes it has a reason to investigate a user's activity. Tierney says it's set up this way mainly to give employees some privacy and not make them feel like Big Brother is watching them at all times. The logs are automatically deleted after a set period of time; the default is 30 days.
Spector 360, SpectorSoft's original product, is for "active monitoring" -- especially useful during that dangerous period between when employees give notice that they're leaving the company and the day they actually leave. The company's survey also found that 47 percent of the companies discovered that former employees took information with them when they left. If they're downloading sensitive proprietary information on to a USB stick while they're eating their farewell cake with their soon-to-be-former co-workers, that's something you want to know in real-time and stop in its tracks.
What do you think? Is there ever any excuse for breaking corporate IT policy? Are your IT policies too stringent to begin with? Is passive monitoring an effective way of dealing with the problem of context? Is this whole anytime-anywhere work cycle just a bad idea altogether? Let us know in the comment section below.