Recent high-profile data breaches show that even worldwide enterprises with household names aren’t immune to the loss of sensitive information. One person well aware of this vulnerability is Thomas Logan, who has spent the past decade creating software applications that address Web content compliance risks and accessibility concerns.
What are some current trends and/or potential obstacles surrounding data security and privacy that companies need to be concerned about?
Thomas: One of the biggest trends we see is companies not focusing enough on the threat of data leakage from their own employees. There have been many threat analyses and risk models created that focus on preventing outside access to content. We frequently see that internal employees that have a right to access sensitive content are making improper internal decisions that create serious compliance risks.
Another trend is accidental data leakage -- the concept of “one wrong click” being able to create a compliance risk. Data is increasingly linked in the Web 2.0 world. Most systems expose data as feeds that can be integrated into other systems. People increasingly multitask between using mobile devices, tablets and personal computers. Cutting and pasting content into the wrong location just once can complete a risk. It’s also very easy for employees to be taking notes when talking with a customer or prospect and saving in the wrong location on their desktop. These impromptu notes often contain sensitive information that can add up to heavy compliance fines. Finally, people using internal networks to share credentials, server names, usernames and passwords. Once a hacker has gained access to a small part of a system, it is now possible for those hackers to scan the network and find logins to a host of other systems that may contain even more sensitive data.
What do you think are the main data security issues that CSOs need to concentrate on in the next few years? What are some potential threats to data security and privacy that may be under the radar, at least for the time being?
Thomas: Users leaking data through social media channels such as Twitter and Facebook. For example, a doctor accidentally identifying a patient by providing too many details about a patient from a visit. Also, doctors accidentally exposing patient information through a calendar that is synced to a content management system such as Google Calendar or SharePoint Office 365.
We frequently see that internal employees that have a right to access sensitive content are making improper internal decisions that create serious compliance risks.
Thomas Logan, chief technology officer, HiSoftware Inc.
What can companies do to stay proactive about data loss prevention? Do you have any specific advice?
Thomas: Define policies that can be automated. Create a governance plan where rules can have a technology underpinning. Create training specific to an organization about how compliance risks should be handled. When a compliance risk is encountered, empower the end user to make the fix rather than have a dedicated compliance officer be assigned to review manually.
Are there any laws or regulations on the horizon that could have a big impact on GRC?
Thomas: There are a number of regulatory updates now in review, including amendments to the ADA [Americans with Disabilities Act], WCAG [Web Content Accessibility Guidelines], and Section 508 guidelines that will have more specific requirements for Internet access. These are likely to affect public and private-sector institutions alike, and could be enacted as early as the first quarter of 2012. Given the many recent and high-profile data breaches -- both malicious and accidental -- it's likely we will see more aggressive movement in the legislative branch to protect consumer data as well. One area which continues to garner a lot of media attention are the various "do not track" bills now moving through Congress, all of which will require significantly greater transparency into cookies, OBA [online behavioral advertising] tagging and other technologies that track consumer Web traffic and, in some cases, actually collect PII [personally identifiable information].
How can companies prepare for these laws and regulations? Is it just a matter of staying informed?
Thomas: The maze of legislation now being considered, at both the federal and state levels, is both confusing and in some cases is likely to be in conflict. If you are a global organization, the picture is even more complex. It's simply not realistic to expect that privacy and compliance professionals and, increasingly, marketing executives, given that they control many of these Web properties, can navigate all of these emerging areas with policies and manual audit processes alone.
Let us know what you think about the story; email Ben Cole, Associate Editor.