Is the proliferation of information fostering a dangerous shift in corporate mentality? Humphrey Browning, Head of Technical Consultancy at Nexor, looks at how networks can inadvertently lead to mismanaged data and undervalued information. According to a report by Jupiter Research,1 49.5 per cent of CIOs (chief information officers) considered the sensitivity of their company’s data as ‘low’. In a world where the threat of information security breaches is an everyday consideration, this either represents gross naivety or complete negligence. The sad reality is that by opening up networks and building knowledge-based infrastructures that empower employees to access a wider portfolio of corporate information, organisations have inadvertently opened the floodgates for mismanaged data and fostered a climate of undervalued information. Technologies such as email pose a potentially dangerous shift in corporate mentality, a shift that is seeing the sensitivity of corporate data increasingly undermined through an ability to circulate information with a degree of immediacy that was unthinkable just a few years ago. Sensitive company documents, which would once have been physically filed, marked as confidential and sealed in an envelope when sent to an external party, are now easily accessible from a corporate network by large numbers of employees who have the means at hand to routinely circulate its contents around the world without a second thought. Whilst a great deal of attention is given to the security of data that pass the perimeter of an enterprise, many organisations have been unsuccessful in managing the root data itself.

The growing volume of material held within the average company is now so large that, although freely available through company intranets and directories, its level of confidentiality is often left uncategorised. It is this unchallenged availability and the ease with which it can be circulated by an employee with an email connection that is presenting a security risk that has so far largely gone unnoticed. In most cases the circulation of sensitive data, perhaps a sales forecast or share price information, is not conducted maliciously. Instead it is carried out by the growing army of employees to whom email is second nature, who perhaps don’t assign as much importance to a piece of data as their contemporaries would have done ten years ago. For centuries technology has been the root cause of changes within business practice. The telephone, fax and PC are all typical modern examples of how, once accepted as mainstream, technology can lead us along a new path of increased profitability, efficiency and communication. In the majority of cases such changes are welcomed, and this is certainly the case with email, a technology adopted with such speed and ferocity that to anyone under the age of 21 it seems hard to imagine life without it.

The problem is compounded by the rise in information security breaches, the reaction to which of many organisations is to batten down the hatches and ring fence corporate networks with the latest software solutions. Yet, despite these measures, many organisations continue to allow themselves to be easy prey by not offering a second thought to the unclassified material attached to their emails. Of course, the suggestion is not to restrict email access across an enterprise; the advent of electronic communication certainly offers more benefits than pitfalls. Not only have previously mundane work processes been simplified, but employees also have a far wider perspective of understanding thanks to the availability of data that would have once been locked away in a filing cabinet. Knowledge workers must be allowed to search, retrieve and manage both data and email within a secure, yet collaborative, environment. Many email solution vendors have been slow to recognise the growing demands placed on email as a business tool, undoubtedly fertilising the trend towards free information flow whatever the cost. It should be remembered that email was never intended to be used as a tool for high-value communication. Only when it became a viable mass-market technology did it begin to flourish in industries where the confidentiality of information is critical to business. Efforts to secure data circulated by email have largely been pooled around encryption technologies, yet the problem lies further down the chain, at the root source of unmanaged company information. The way in which organisations are conducting business highlights the need to automatically classify email content in its native form from within a corporate directory based on defined rules of usage that are unique to each organisation. Policies and controls should be put in place to ensure the security of sensitive information without restricting its accessibility within an organisation. Wrapping low-level data, such as company phone lists or staff memos, in security mechanisms achieves nothing but to restrict accessibility and use.

One sector that has long understood the importance of classifying information is the military. Using security labelling technology, electronic communications are ‘tagged’ before dispatch. The security labels, usually applied within the default email client, allow the sender to quickly assign a level of confidentiality suitable to a particular mail and its contents. The label then automatically applies the appropriate level of security for the level of confidentiality selected. An email of the highest confidentiality will therefore be subject to digital signing, data encryption and any other mechanism that is in place to guarantee the integrity of the data. A staff memo, depending on its content, may in turn pass through the gateway untouched. Security labelling is now being applied within the corporate environment, with a new generation of software adopting a more pragmatic approach by managing email on the boundary between organisations and the outside world. This approach offers the benefits of configurable policy-setting at a server level, allowing the definition and management of email policies from a corporate perspective regardless of desktop set-up. The responsibility for applying security is thus removed from the user and passed back to the organisation. It seems it is not only the information that is undervalued, but also the resulting effects of mismanaged data and the possibility of a breach in confidentiality. Online IT resource centre TechRepublic conducted a survey in January 20022 in which nearly 2,000 respondents were questioned about email and Internet usage. Surprisingly, only 18 per cent of those questioned considered the leakage of company confidential information as ‘extremely serious’, with respondents citing employees accessing pornographic content via the Internet or email as more of a threat. Unbelievably, just nine per cent felt that the problem was ‘serious’, less than half the number that cited the serious nature of downloading unauthorised files such as MP3s. The same survey also looked at organisations that had fired employees on the grounds of Internet or email misuse.

Again, the leakage of confidential material appeared low amongst the grounds for dismissal. Dismissals for recreational Internet surfing in work time (26 per cent of firings) were more than double those for leaking company confidential data (10 per cent). This represents one of two things: either organisations place a lower importance on a breach of confidentiality than on recreational surfing, which is unlikely, or they do not have the tools in place to either detect or prevent such information misuse. In fact, according to the DTI’s Information Security Breaches Survey 2002, only 27 per cent of companies have a documented security policy. As more and more organisations become dependent on both electronic communication and electronic data and retrieval systems, the potential for security breaches will undoubtedly increase, no matter how much investment is made into perimeter security or user authentication solutions. The age-old adage that the weakest link in any electronic network is the user holds true. Organisations must look internally at how employees are trained to use information and also create an understanding that corporate data is an asset and not a by-product of modern business. There is a strong argument that responsibility for security and confidentiality of information must be moved away from the user and managed centrally without, of course, restricting access.

Unlike many other threats to electronic communication, this problem is entirely preventable and lies solely at the feet of an army of email users who unwittingly show complacency to valuable information each time they access their email accounts. Humphrey Browning is Head of Technical Consultancy at Nexor. Nexor provides high-assurance messaging and directory solutions to government, military, finance and telecommunications markets. Nexor customers can be found in Europe, North America, Canada and Australia, and cover a range of commercial and military organisations. The US Army, CIA, NSA, Canadian DoD and Government of Canada all utilise Nexor technology, as do the UK MoD, GCHQ and armed forces. For further information contact: European Office (Headquarters), Nexor Limited, Rutherford House, Nottingham Science & Technology Park, Nottingham NG7 2PZ, UK. Tel: +44 (0)115 952 0500; Fax: +44 (0)115 952 0519; Email: info@nexor.com