Are We Desensitized to the Risks of Sending Sensitive Information?

The fact that, at the click of a mouse, we can instantly transmit critical data has desensitized us to the security risks associated with sending sensitive information via email, webmail, and file transfer programs.

31 May 2011

The below article is just one example of security risks associated with sending sensitive information via email. In the past two weeks, I counted hundreds of articles on email security issues. One thing is clear. These are not isolated incidences. The fact that, at the click of a mouse, we can instantly transmit critical data has desensitized us to the security risks associated with sending sensitive information via email, webmail, and file transfer programs.

The Securities and Exchange Commission said 4,000 agency employees have been notified that their social security numbers and other payroll information were included in an unencrypted email, sent by a contractor at the department's National Business Center, which manages payroll, human resources and financial reporting for dozens of federal agencies.

The “ignorance is bliss” mentality has become rampant because most employees inherently assume the company has fully protected their system. Employees rarely consider the consequences when sending sensitive information both internally and externally.

In a recent survey of over 300 corporate email users, Intralinks found that 44 percent of respondents said they never think about the security issues when using outside websites to send large files.
Reputation Risk

For most employees, communicating daily with partners, customers, and vendors is a basic fundamental part of their job that means constantly sending sensitive information outside the firewall. How many times have you heard “Don’t worry, they are under NDA”. And I think we all know what happens when an employee has trouble sending large documents to a customer or can’t access their email on the road or at home. I’m sure there isn’t one person reading this who hasn’t used their personal email account to send a “work” document for a host of good, rational business reasons.

The related costs add up as well. According to the 2010 Data Breach Report just issued by the Ponemon Institute, the cost of a data loss incident is now $7.2M

Information is considered the lifeblood of your business. That same information in the wrong hands can cause grave damage to your business. What would happen if your customer list were left on a bus? How damaging would it be to your business if your 10-Q report was emailed to the wrong recipient before your earnings announcement? Would your big M&A deal close if details were made available prematurely?

Warren Buffett famously said: “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently.”

Unfortunately, today Mr. Buffet is wrong: Today your reputation (and your business) can suffer costly, irreparable damage in an instant.

Regulate it!

While security is a concern, it’s not the only one. Compliance, privacy, and auditability have become new buzzwords. Most organizations are governed by some general privacy mandates such as the EU Data Protection, GLBA, SB-1386, MA CMR-17, or SEC Regulation S-P. In addition, every industry has specific regulatory requirements. If you are you a public utility with critical infrastructure documents, NERC CIP governs information for homeland security concerns. If you are a manufacturer of equipment or munitions with military use, then it’s ITAR. In healthcare or pharma where you handle protected health Information, HIPAA compliance should be on your list of concerns.

The regulatory climate alone is enough to keep your CFO and CCO awake at night. These mandates all have teeth: Regulators are enforcing these laws, levying heavy fines and even criminal charges. And the last thing you want is to end up on the front page of The Wall Street Journal for compromising customer personal information.

To meet all these new regulations, companies need to have systems that provide easy tracking, monitoring, and auditing capabilities for the exchange of critical information. How do you know if your information was received or opened and read? How can you go back to look at the timing of when certain information was received and by what stakeholders? How can you make certain that the information can only be accessed by the people you sent it to? How does a company make sure they have access to that tracking information and knowledge after an employee leaves?

When it comes to exchanging information and sensitive data, both security and compliance are huge concerns for an organization and needs to be addressed proactively.

So where do you start?

First, understand where the risk is concentrated. Start with your high-value information, and your high-value employees. What kinds of information do they handle all day? How do they share it? Chances are good your top employees are using email or any one of the myriad of collaboration and file sharing tools available on the web today. Why? They want to go faster. They want to be productive. They want to share information with customers and business partners.

But these tools are not all created equal. In fact, your best performers are putting information at risk every time they share information using a cheap or insecure collaboration tool. The five minutes you save by emailing a critical document could be the five minutes that ruins your reputation.

How do you mitigate risk?

Get ahead of it. Invest in a solution that is easy for your best performers to use: One as simple as email and with no administration or infrastructure investment. Look for a solution that never loses sight of your critical information, and never leaves it unencrypted and vulnerable. After all, visibility is key. You can’t control what you can’t see.

Empower your employees with a file sharing solution that helps them go faster, but gives you the ability to see where your files are going. Imagine being able to retrieve an email after it has been sent! That’s real risk management.

You’ve taken a long time to build your company’s reputation. Do things differently, and you can keep those five-minute actions from turning into a year long public relations nightmare.

To sign up for an Intralinks Courier trial, please go here