Editors note: Security consultancy Networks Unlimited allowed freelance reporter Sandra Gittlen to tag along as it conducted a data leak audit at a Boston pharmaceutical firm, then presented its findings to company execs. In exchange for this type of access, we agreed not to identify the pharma firm.
When the director of IT at a Boston-based, mid-size pharmaceutical firm was first approached to participate in a data leakage audit, he was thrilled. He figured the audit would uncover a few weak spots in the companys data leak defenses and he would then be able to leverage the audit results into funding for additional website security resources.
While there are certainly marketing benefits of publishing such findings for the vendors, I found this article to be very good and relevant for large companies too.
The incident numbers stated may be high simply due to false positives, as the IT management team noted in the article. In addition, since the business management did not weigh in on the criteria of the audit, it is less likely that they were able to identify leaks that require more contextual findings and analysis — which in many cases can be the most devastating type of data leak. Examples would be executives or key technical staff that depart companies with 1000’s of files and documents regarding strategic plans, merger and acquisition data, confidential projects, litigation strategies, or impending negative decisions on products, etc.
With that said, I believe the types of findings in this article are realistic even for companies that have extremely sound technical security controls. Without proactive, ongoing monitoring and the sponsorship of the senior business management data, breaches of this scale are more likely the norm than the exception.
Im confident that if a similarly designed and executed audit were done, say at the top 100 Fortune 500 companies, the audits results would be very similar in scale and nature for many of the companies.
If you are a senior business executive, I think this article illustrates that your IT group cannot do it alone. This company certainly was counting on IT. If you are a senior IT leader, know your IT security team can’t make it happen alone. If you are an Information Risk Executive, I think this story is a great example to leverage in making your case for the need to understand and monitor data leak risks.