Monday 6 April 2009

Hidden Risks of Intellectual Property in Email

I was talking recently to a client. We were discussing how organizations use email and the conversation turned to "inappropriate" use.

Ah, no. Not that sort of inappropriate use.

I'm talking about storing confidential information in an organization's email. Perhaps even sending that confidential information to people who have no right to receive it.

Just about every organization has this type of confidential information. It could be customer data or intellectual property, such as future product plans or patentable know-how. Whatever it is, organizations run a huge risk by allowing their users to email it.

And I'm not necessarily talking about attacks on the email system. Even the most sophisticated user can accidentally send the wrong thing to the wrong person.

Even if the information stays inside the organization, it's at risk from malicious insiders—if someone has access to an Exchange server, they can read the entire message database without needing any passwords.

And I'm not talking about a few scraps of information, either. When you look at a typical organization that's reasonably email-centric, a significant number of them might have the vast majority of their confidential information stored in their email—as much as 85% of it.

So what to do about it?
  • You could try educating your users... but that sounds like the epitome of cat herding.
  • You could shut down your email system... but isn't that rather self-defeating?
  • Various vendors will sell you tools for data leak prevention (DLP).
Combined with user education, DLP can do a reasonable job of helping email users "keep it in the family." But it isn't magic; it does need care and feeding.

It does need to be taught what your confidential information looks like, and who should be permitted to see it. And that teaching process isn't just a one-off chore—it needs to be ongoing.

No comments:

Post a Comment