Companies rush to plug 'data leaks'

The threat entails employees leaking sensitive data about customers, finances or intellectual property in violation of security policies and regulatory requirements. Sometimes it's by mistake and sometimes the employee is looking to make a financial gain.

To combat data leakage, a growing number of vendors are pitching products designed to monitor sensitive information and block outgoing e-mails or instant messages containing it. This week alone, newcomer Fidelis Security Systems will debut, veteran player Vidius will change its name and launch a product, and Tablus will reveal plans to deliver a product that combines network- and desktop-based monitoring.

Data-leakage prevention products typically work by being allowed access to databases to keep track of what an organization considers sensitive data and compare it with what goes out. But questions of false positives, missed leaks and its expense - $100,000 is not an unusual price - have kept leakage detection in a niche reserved for a limited group of companies and government agencies.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The threat entails employees leaking sensitive data about customers, finances or intellectual property in violation of security policies and regulatory requirements. Sometimes it's by mistake and sometimes the employee is looking to make a financial gain.

To combat data leakage, a growing number of vendors are pitching products designed to monitor sensitive information and block outgoing e-mails or instant messages containing it. This week alone, newcomer Fidelis Security Systems will debut, veteran player Vidius will change its name and launch a product, and Tablus will reveal plans to deliver a product that combines network- and desktop-based monitoring.

Data-leakage prevention products typically work by being allowed access to databases to keep track of what an organization considers sensitive data and compare it with what goes out. But questions of false positives, missed leaks and its expense - $100,000 is not an unusual price - have kept leakage detection in a niche reserved for a limited group of companies and government agencies.

Inside jobs

"It does stop e-mail with sensitive data," says Janet Behnke, IT manager at First Financial Credit Union in Los Angeles, which uses a gateway from Vidius (now called PortAuthority Technologies) at its Internet access point. The product is used to watch for sensitive information, including customer account numbers, balances and ATM card numbers.

Most credit union employees whose e-mail is blocked by PortAuthority - the average is 20 to 25 unauthorized e-mails per day - are sending out sensitive data by mistake, Behnke says. But there have been instances where the bank caught employees forwarding customer information to brokers in order to make money.

"They did it because they were trying to get commissions," Behnke says, adding that these employees were terminated. PortAuthority "saved us from a lot of exposure," she says.

This insider-theft problem is similar to that facing Bank of America and Wachovia, which in late May acknowledged massive data leaks involving stolen account data on tens of thousands of customers sold by bank employees.

Bank of America, which says it has deployed the Vontu information-leakage product, declined to say where the content monitoring helped in uncovering the problem, which involved use of e-mail as well as simply printing out customer information.

A Bank of America spokeswoman says the bank couldn't discuss the forensics while the investigation, which includes the Department of the Treasury as well as the Hackensack, N.J., police, continues.

While corporate users of information-leakage detection products say the offerings are effective in general, they acknowledge that the products aren't perfect.

PortAuthority registers false positives every day, Behnke says. "It's pretty low, maybe 1%, but it happens," she adds.

"We do get false alerts often," says Jeff Karafa, CFO and head of operations at the Community Bank of Dearborn, Mich., which has deployed leakage-prevention products from another vendor, Reconnex. Nevertheless, the Reconnex iGuard monitoring and blocking product has proven its worth since being installed in February, he says.