IT security

Think only governments are WikiLeaks targets? Think again, businesses!

Although some of the furor over WikiLeaks has slowed down, make no mistake; the whistleblower website has not gone away. In fact it seems to have blended into the internet, making “online whistleblower” a term we’ll be hearing over and over for the foreseeable future, not just for WikiLeaks but copycat sites as well. Just the words “big U.S. bank” and WikiLeaks in the same sentence caused Bank of America’s stock to drop. That a website could have such power, costly in BofA’s case, is new. But the seeds of WikiLeaks are as old as human nature and it’s not only governments that will feel the sting of an outed secret.

So what can businesses do to keep their content from winding up on WikiLeaks’ website or some other exposé forum?

Let’s start by pointing out that there’s little that can be done if your company has a disgruntled employee with legitimate access to confidential information. Large organisations simply have a statistical chance of employing dishonest person or someone with an axe to grind. While core security technology such as VPN, firewalls, or data leak detection will reduce the danger, handling the human element is best done by good HR people with adequate screening.

But enterprises can do much to keep a leak from occurring. Like leaving your house unlocked and hoping for the best, enterprises need to not overlook the obvious. In this case, don’t make your content easy prey for unauthorised eyes. That’s the first step. But say an employee has authorised access to a sensitive document. He or she has the “reading” privilege and can save the document or a part of it on his or her hard drive or memory stick. At that point the security of your enterprise applications no longer applies. Now you must worry about the security of the flash memory drive – and that’s not much security.

Many enterprises don’t realise what valuable data is sitting on hard drives, on laptops and on mobile devises. That leaves them vulnerable to a myriad of nasty possibilities ranging from seeing their trade secrets slip out to their competitors, losing first-to-market advantage and even legal problems. For example, an old document resurfaces causing your company potential embarrassment or worse. Organisations are advised to dispose of information after prescribed retention periods, but maybe someone kept a copy and now that 20-year-old document has become a liability.

By their very nature enterprise content management tools can go a long way toward heading off these scenarios. It’s inherent to content management systems to have security through access control, authentication and authorisation to make sure only the right people have access to the right documents. Originally conceived as a way to protect intellectual property, digital rights management (or just rights management) is now allowing companies to encrypt content and thus enforce security no matter where it travels. If I receive a document in an email, that document will be checked and my level of authorisation will determine if I can save it locally, print it or forward it. Proper rights management could prevent sensitive records from winding up on a stolen employee laptop, for example.

Tethering is another ECM approach that ratchets up content security. With tethering, the content always resides in the original repository, which can be secured so the content never actually leaves. A prime example is YouTube. People can access, view and embed a YouTube video on their blogs or websites, but the content assets always stays on YouTube’s server. Today, we can apply the same technology to content residing in a secure repository in an enterprise.  This way, the content assets can be shared as needed, without ever having to leave the high-security confines of an enterprise content management repository.

Rights management and tethering are excellent tools in a good content management system. But a more fundamental issue for enterprises is a firm grasp of information organization. If your content is well organised, there is a much lesser chance that something will leak out — and leak out undetected. Most organisations have non-disclosure policies, emphasising the secrets that shouldn’t shared. But having your information well-organised and well-structured is the key. If you have information all over the place and lots of duplicate data, that’s the worst possible scenario if you are concerned about security or winding up as a WikiLeaks victim

Resolving a Leak

What if your best intentions aren’t enough? What if you see your company’s name along with some heretofore closely guarded secret splashed on the front page of the New York Times as the victim of a security leak? What then? Once the genie’s out of the bottle, you can’t put it back, so you have to look at your options. Possibly, you can take legal steps to contain the problem or leverage your own PR to clarify its context.

But what’s far more important is preventing a leak from ever occurring again. That starts with tracing the leak back to where it originated. This is where content management and the principles of information governance come into play. One of ECM’s key features is its ability to have a consistent, centralised log of all events — an audit trail. It’s a very good way to trace back how the particular content asset or document got out, who opened it and where it wound up. With a good ECM system in place, you can create the framework to prevent this kind of leak in the future. Even if your enterprise never suffers the indignity of a security leak, aiming to protect your content has the very real side benefit of solid information governance.

The drive to expose secrets has always been with us, though the methods of dissemination are new. We don’t know how long WikiLeaks will be around — not long if some governments have their way and are successful in shutting it down. But individuals or organisations abusing confidential information certainly won’t go away. Since Internet facilitates the mass dissemination of information in the blink of an eye, enterprises would be remiss in not preparing for the worst. Digital information has undisputed productivity benefits, but also some liabilities. Content management needs to be part of the infrastructure, part of the DNA of a company to successfully deal with the possible dangers, like WikiLeaks.

What are the top three questions corporations should answer to prevent a WikiLeak of company secrets?

1.     Is our security sufficient; are our privileges enough or do we need rights management?

2.     Do we have an overall well-organised system to store content properly?

3.     If any kind of leak happens, do we have the ability to trace the leak back to its origin?

– Lubor Ptacek is vice president of product marketing for OpenText Corporation. He can be reached at lptacek@opentext.com

Related Stories