Cisco research reveals common data loss mistakes

Cisco_logo.gif Cisco have just released a study into the behavior of corporate employees and their attitudes to security. The study was designed to understand behavior rather than look at the use of technology. John N. Stewart, chief security officer of Cisco comments that,
"Security is ultimately rooted in users behavior, so businesses of all sizes and employees in all professions need to understand how behavior affects the risk and reality of data loss ... Simply put, security practices can be more effective when all users realize what their actions result in."

The report highlighted 10 findings of note, I've highlighted two of these which relate to the sharing or use of confidential documents and emails.

Sharing corporate devices: In a sign that data isn't always in the hands of the right people, almost half of the employees surveyed (44 percent) share work devices with others, such as non-employees, without supervision.


Losing portable storage devices: Almost one in four (22 percent) employees carry corporate data on portable storage devices outside of the office. This is most prevalent in China (41 percent) and presents risks when devices are lost or stolen.

This highlights two obvious issues. Firstly that there are indeed security risks but also that people do want to legitimately share information with other people and people do carry corporate data outside the office and enterprise perimeters. What corporations need are security tools to ensure that employees can continue to share and use information but at the same time allow the corporation to retain control over the most sensitive data. This is where IRM is a good solution, it can help prevent unauthorized access to such data when shared or lost. So even if a corporate device is accessed by non-employees, any IRM protected documents would be inaccessible. Another finding which I found quite interesting:

Altering security settings on computers: One of five employees altered security settings on work devices to bypass IT policy so they could access unauthorized Web sites. This was most common in emerging economies like China and India. When asked why, more than half (52 percent) said they simply wanted to access the site; a third said, "it's no one's business" which sites they access.
John Stewart
"Today, data is in transit, in use, within programs, stored on devices, and in places beyond the traditional business environment, such as at home, on the road, in cafes, on airplanes and trains."
John N. Stewart, VP and Chief Security Officer, Cisco Systems, Inc.


We are very familiar with the problems of losing laptops, USB drives and sharing information across typical enterprise security boundaries, but as the item above highlights, users are often actively trying to circumvent security controls put in place on their desktops. John goes on to suggest some practices to reduce these risks of data loss.

  • Know your data; Manage it well: Know how/where it's stored, accessed, used.
  • Treat data as if it's your own - Protect it like it's your money: Educate employees how data protection equates to money earned and money lost.
  • Institutionalize standards for safe conduct: Determine global policy objectives and create localized education tailored to a country's culture and threat landscape.
  • Foster a culture of trust: "Employees need to feel comfortable reporting incidents so IT can resolve problems faster," Stewart said.
  • Establish security awareness, education and training: Think globally, but localize and tailor programs for regions based on threat landscape and culture.
Reasons for altering security settings

The overall message is about educating your users with good practices when handling important corporate data. There are many aspects of the Oracle IRM technology which make achieving some of the above recommendations possible.
  • End user training and education required to use Oracle IRM protected content is small, often end users are not aware they are using content that has been secured until they attempt to do something for which they do not have authorization, such as print the document or edit it.
  • IRM protected content is protected no matter where it is stored and accessed from. Each and every time content is used that activity is audited.
  • Confidential documents and emails can be automatically protected in line with your corporate classification policies by integrating IRM with your applications which create/store this data, e.g. financial reporting applications, content management repositories.
  • Using pre-sealed templates, new content is automatically secured and classified without having to place extra burden on the end user about how to correctly secure their content.


Deploying Oracle IRM effectively can address the concerns found in this report and actually requires little education with the majority of your employees. Ensuring that sensitive corporate data is protected at source as soon as possible also reduces the burden on the employee to constantly make decisions about handling corporate information correctly.

John goes on to say:

"Without modern-day security technologies, policies, awareness and education, information is more vulnerable. Today, data is in transit, in use, within programs, stored on devices, and in places beyond the traditional business environment, such as at home, on the road, in cafes, on airplanes and trains. This trend is here to stay. To protect your data effectively, we need to start understanding the risk characteristics of business and then base technology, policy, and awareness and education plans on those factors."


You couldn't have a more well put statement for a reason to use IRM to ensure that in the modern workplace, where your sensitive data is being used in and across a wide variety of environments, your corporate data is protected.


Post a Comment:
  • HTML Syntax: NOT allowed

Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide


« July 2016