Big Brother is watching you

The enormous power that some data leakage solutions provide employers with should be used responsibly.

  • E-Mail
By  Sathya Ashok Published  June 18, 2008

Information has a way of leaking out of organisations when it should not. This has always been the case, but it has not always been a problem.

What has changed recently to make that a huge problem is that the data flowing out of an organisation can be put to malicious use by people with ill-meaning towards that particular company. The loss of confidential enterprise data often causes in its wake, irreparable damage to the firm's reputation, harms customer loyalty and even, in some cases, leads to an eventual closure of business.

It is a well-known fact that most of the data that moves outside the boundaries of an organisation does so in an inadvertent fashion. Some analysts state that around 75% of information loss in an enterprise can be traced to internal employees who had no malicious intent, and were not aware that the data was either confidential or that it could harm the company outside the corporate network.

It is also a fact that most of this unintentional flow of data happens via common communication platforms - such as e-mail, instant messaging, social networking sites, or portable storage devices such as USB drives and CD-ROMs. (You can read all about the issue of data leakage, and how big a threat it is in the Middle East in the July issue of NME.)

This is why the slew of data leakage solutions that have been launched by security vendors within the last two years address, in one way or the other, employee behaviour within an organisation. Some of the advanced packages enable administrators to place tags with each piece of data in the corporate network, and also give them the power to monitor, and sometimes interfere, when an employee is found to be tampering with especially important information, or trying to copy or print the said information.

Some niche solutions in the market can trace what the employee is doing across instant messaging, survey the e-mails that go in or come out of the staff member's inbox, and even follow the employee's visits to social networking sites. A recent solution that was launched in the region even tracks the time spent on certain websites, time spent on internet chatting, and enables the master administrators of the system to track keystrokes when necessary.

Information of this solution's launch and its capabilities created a minor furore in the ITP office. There is only a thin line that separates precautions taken against loss of confidential information and unethical surveillance practices. Some of us could not help wondering if that line had been crossed.

Solutions that tackle data leakage give enormous power to the IT administrator. The inbuilt capabilities of all these packages to monitor employee behaviour within an organisation place an inordinate amount of control in the hands of the person running the system, and that control can be easily abused.

Organisations that do feel the need to invest in any data leakage protection package have to understand that, at the end of the day, the person who runs the system is as human as the employees who are being tracked by it, and is as liable to use it for harm as anybody else in the organisation. They have to take adequate measures to address this loophole, by ensuring that the administrator is also monitored, as and when necessary, and enforcing a strict escalation process when anything amiss is suspected or detected.

Most industry experts, as well as the vendors who sell data leakage packages, also insist that enterprises should not consider these as single-point solutions. They have to work these packages into their security policy, and conduct intensive education programmes for their employees on data usage, and what is allowed or not allowed. More importantly, it should inform the employees of the purchase of any data leakage solution, the reasons for the same and the solution's capabilities.

Data leakage solutions are being increasingly adopted by many enterprises across the Middle East. According to some, the market for the solutions is growing by as much as 40% annually in the region.

As the number of organisations investing in these solutions steadily increase, it becomes crucial that they approach and use these packages with caution. In the lack of a regulatory environment that lays down the rules for the use of such solutions, it is up to Middle East enterprises to understand that with power comes responsibility. It is also up to them to ensure that the solutions are used ethically and with the utmost respect for the employees who toil for the company day in, and day out.

3928 days ago
Andreas Schuster

In my opinion an employee should do responsible work when he is in the office. So personal surveillance only uncovers his personal interests beside his company interests. I would feel much better when my personal data e.g. on banks, insurances, hospitals or even at the municipality is not public available to everyone working in that institution. Furthermore, why should my personal or company data be able to leave the network per email, on a memory-stick or hard disk? Big brother should keep an eye on my personal data. I have read so many cases where internals got public.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code