By Simon Thorpe on Sep 28, 2010
PwC has just released the findings of an information security survey by PricewaterhouseCoopers, CIO Magazine and CSO Magazine. The survey contains responses from more than 12,840 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security in 135 countries. Quite a wide audience. The report focuses on the business drivers for information security spending and reveals that in general spending on security has flat lined or at least dropped in the past 12 months. Mostly due to lack of funds after a wildly unpredictable economic financial climate. There were some elements of the report I found intriguing given my knowledge of IRM and the problems it solves.
While the impacts of the downturn linger, risks associated with weaker partners have increased
So whilst organizations are not spending money on security, they do recognize that the risks of sharing information externally with partners is increasing because... their partners are also not investing in adequate security. It is a very obvious point to make, everyone is not adequately investing in security and yet there is a growing trend to outsourcing where more and more of your information is shared beyond your existing security perimeter. There is now much higher risk when relying more on external partners for your business to be effective but its a necessary evil. What if that partner is your cloud storage provider and you are about to undertake a migration of your content into their platform? Will it be secure?
Visibility of security breaches/incidents is increasing, as are the costs
The report also finds a healthy increase in the knowledge of security incidents. I would guess this is primarily an impact of regulatory requirements forcing the issue. More and more companies have to report data loss incidents and therefore they are deploying technologies and processes to become more visible of the events.
Yet growing in the other direction is the cost awareness of data loss. In three years this number has doubled. So it's a simple summary. People know a lot more about the loss/breach of important information and it is costing them more. The graph below shows the significant increase in both the area of financial loss to the business as well as the loss of critical intellectual property. These results tally with the issues we've seen in the news over the past year. GM losing masses of hybrid research, Ford also losing lots of intellectual property. The health care industry is also reporting data loss incidents at an alarming rate.
Another main areas this risk is coming from is, and i'll quote the report "traced to employees and former employees, in line with the higher risks to security associated with salary freezes, job instability, layoffs and terminations and other HR challenges that rise during economic stress." The technology that is presenting the greatest risk is the social network. The channels of communication into and out of your business environment are increasing dramatically. No longer is it appropriate to monitor just email and the firewall. But you have to worry about USB devices, web based storage, social networks... and a lot of this activity happens outside the office whilst people are at home, in a hotel or on the move with their cell phones.
How does IRM help?
So where does a document security solution like IRM play into this? First let me summarize up what I think all the research is telling us...
Companies are more aware of security incidents and the threat is moving to the partners who are not spending enough to secure your information. The costs of losing information are increasing from both the impact to the business and the technology you need to buy to defend against the loss in the first place. More and more ways to lose information are now invading the enterprise and often they are beyond your control.
So consider the following advantages of a document security solution like Oracle IRM.
- IRM moves your perimeter of security to the information itself. Instead of buying and deploying DLP, hard disk encryption, encrypted USB devices, simply deploy IRM and no matter where your sensitive documents and emails end up, they are only accessible by authorized persons and encrypted no matter where they are stored.
- IRM can allow users to open, edit and review documents but prevent them from copying information from the document into an untrusted environment... Facebook, LinkedIn, unprotected Word and Excel documents. Of course it may not take much for a user to retype the information but one of the biggest issues around security is that of awareness. If a user can't easily copy information from a document, they know the information must be confidential.
- Every single time an IRM protected document is created, opened, printed or saved, it is audited. This dramatically increases the visibility of who is doing what with your information. Also when end users know that by opening IRM documents they are leaving a trail of access, it decreases the likelihood they are going to misuse that information.
- IRM is easy to deploy. The biggest advantage of IRM by far is that once a document has been secured, you have total control over who can open it. So the simplest deployment where you create one single classification for your entire business and secure all your confidential documents to it for use only by internal employees is quick and easy to do. Right now most organizations have millions, nay billions of documents floating around on partner file shares, employee laptops and the internet. IRM in one simple deployment brings a massive amount of value.
- IRM does not suddenly impact your business effectiveness. Core to its design is a usable and scalable rights and classification model that puts the decision making on user access into the business. Enormous effect has been invested in making the use of Oracle IRM protected documents simple and easy for authorized users.