The WikiLeaks debacle has put a spotlight on the need for better corporate security policies and new technology approaches. But even these safeguards are no guarantee in an age where data is so easily transmitted for all to see online.
“I honestly believe [WikiLeaks] is not a technical leak, but malicious intent,” said Prateek Dwivedi, CIO of Mount Sinai Hospital in Toronto, about the WikiLeaks posts. Mount Sinai “does a lot of work” to prevent inadvertent data breaches, he said, “but if somebody wants to get in, they’ll get in. That’s what we have to worry about — how do we keep it from happening? I’m not a diplomat, and our documents don’t have trade secrets, but we do have information on people’s health.”
The hospital already has locked down everything it should, partly because the health care industry mandates it and partly because of Dwivedi’s “healthy paranoia,” he said. “We can make it really hard if it’s inadvertent, but everything comes down to policy,” including requiring people to take oaths not to leak sensitive or valuable information.
Yet corporate security policies and oaths can’t always control human behavior: physicians using a common-area fax machine, for example. For safer transfer of patient information, Mount Sinai is installing a secure link through a website that will replace fax transfers with encrypted PDFs. “The fax machine is not secure,” Dwivedi said. “We don’t even know who the fax is going to! As we implement new technology, we need to buy [more secure] products.”
Insisting upon secure PDFs instead of faxes is one way CIOs can update their corporate security policies.
But paramount is an overarching data management strategy, according to Gartner analyst Drue Reeves: Use document management to make sure you don’t have copies everywhere, and purge nonrelevant material. “Sometimes it’s okay to delete data,” he said. In fact, a lot of companies are forming internal groups to decide just what to chuck.
Other keys to corporate security policies: identity management (make people authenticate again and again), storage management and encryption, Reeves said.
And then, pray.
“Even if you do everything technically, if you have a determined hacker, you cannot stop them,” Reeves said. “Sooner or later, some company somewhere is going to be sued for negligence.”
As more corporate data resides on third-party infrastructures, that negligence could extend to cloud providers. They could be called on more often to adhere to the same security policies the corporations they serve have in place, according to experts.
With help from Reeves and others, I explored cloud liability in a series of articles on SearchCIO.com earlier this year. Perhaps it’s time for another take, as WikiLeaks “is yet another illustration of why organizations need to be focused on and cognizant of security risks,” said Tanya Forsheit, a founding partner of the Information Law Group, based in Los Angeles.
“This round was about diplomatic cables, but it could be the same thing in the corporate context, and we’ve seen suggestions in the media that that’s the next thing,” Forsheit said. “Regardless of whether it’s WikiLeaks or someone else, it’s a data breach.”