DPI16_Banner_300x250 WITH COPY

Joe Fantuzzi, CEO and President of Workshare

Organizations invest huge resources developing security policies and procuring protective technologies that point outwards at hackers, spyware and viruses. However, organizations are beginning to realize that there is another aspect to data security - the inside-out leakage of information. Not only do organizations need to worry about the release of valuable intellectual property, but they also face increased regulation and oversight on issues ranging from consumer privacy to financial disclosure. Companies are juggling all of this in an atmosphere of government and consumer mistrust of business.

Information is Leaking
Information security is a growing problem in organizations of all sizes. Documents that include private customer data and other confidential or otherwise sensitive information are leaving U.S. organizations at an alarming pace through email and other channels such as Blackberry's and USB drives.

Recent research sponsored by Workshare and conducted by The Insight Advantage found that the majority of corporations and government agencies in North America have no idea how much sensitive data is leaking out of their organizations. The information security study's objective was to gather insight from executives who have the following responsibilities in U.S.-based organizations with at least 1,000 employees: IT Security, Risk, Privacy, Compliance, and In-House Counsel regarding the challenges they face in protecting organizational information that is considered confidential, financial or private customer data.

Quick Fixes Don't Alleviate the Problem

Executives who participated in the study represented a broad spectrum of industries, including financial services, government, manufacturing, technology, insurance and healthcare. Results gathered from the 359 executives who participated in the study showed an overwhelming awareness of information security enforcement challenges and the fact that attempts to solve them through point solutions like PDF conversion, encryption and other inadequate technologies are simply not effective. Executives are most concerned about customer data leaking and the subsequent impact, especially negative perception of the organization's brand and loss of customers. Alarmingly, the current solutions used, regardless of industry, fail to solve the problem of information leaking or alleviate executive concerns.

Awareness Only Part of the Cure
The study shows that the level of awareness about the risks and cost of information leaks is high. However, the study also confirms that the recent rash of publicized information leaks is only the tip of the iceberg; information is leaking out of organizations in large volumes. Executives are running on blind faith that the incomplete solutions they have deployed are enough - despite their concern over and the existence of information leaks via electronic channels. This survey serves as a wake-up call to develop and implement a comprehensive data leak prevention assessment and risk mitigation plan.

Threat is Huge
The scope of this "inside-out" information security threat is staggering. According to recent data, the 200 million business users of Microsoft® Office® send more than 100 million documents over email daily. This amounts to more than 125 documents per employee per year. And this number is only taking into account the information shared over email, let alone by way of other electronic means. The threat poses serious risks that have the capacity to cost companies huge sums in lawsuits, regulatory penalties, lost business, intellectual property infringement and unquantifiable damage to the most valuable of assets - reputation. Therefore, the key challenge for in-house counsel and privacy executives is to understand and manage this risk without disrupting the critical flow of information on which the business depends.

Cure the Problem - 5 CRITICAL STEPS

In today's global business environment, information security is an ongoing challenge that requires action, measurement and periodic re-evaluation. Only through commitment and focus can organizations hope to manage the risk associated with business documents and other content leaving the organization.

4 Types of Information Leaks

  • Visible information contained in documents and messages
  • Hidden information in documents and messages
  • Entire documents that must be restricted
  • Format transformation artifacts

Examples of all these types of information leaks are abundant in the media, and have resulted in international political crisis, regulatory penalties, shareholder lawsuits, lost business and damage to reputation.

Managing the risks associated with the exchange of information requires a combination of policy and enforcement. Workshare has developed a systematic approach, based on best practices, to help organizations through the process of developing policy and implementing enforcement. The methodology involves 5 steps as follows:

STEP 1: EDUCATION: In order to accurately assess their exposure, organizations must first understand the types of risk associated with the exchange of business information. Workshare has identified three critical areas of risk: security, compliance and accuracy. Security is defined as the risk that inappropriate information accidentally or maliciously leaves the organization. Compliance is defined as the risk that information exchange policies are not adequately defined, controlled and/or auditable. Accuracy is defined as the risk that documents and other information leave the organization containing incorrect information.

In the second step, organizations evaluate the level of risk associated with key business processes. In this phase of the process, the organization does an assessment. The assessment evaluates the risk as defined in step one, the existing policies and processes used to manage these risks - or the lack thereof - and user awareness of the risks described.

STEP 3: POLICY DEVELOPMENT: In Step 3, organizations develop ways to classify risk and appropriate mitigation strategies and policies. Many organizations have developed and implemented information risk classifications. Typically, they are structured as follows:

Highly Confidential:
Information in which unauthorized disclosure will cause a company severe financial, legal or reputation damage. Examples include financial transactions, customer contracts, business and negotiation strategies, consumer privacy information and intellectual property such as trade secrets.

Information in which unauthorized disclosure exposes an organization to financial, legal or reputation risk. Examples include employee personnel and payroll files and intellectual property such as customer and distributor lists.

Internal Use Only:
Information that, because of its personal, technical, or business sensitivity is restricted for use within the company and its close advisors.

Information that in general can be shared, but must still be monitored and managed to mitigate information security risk.

Step 4 calls for implementing the education, systems, technologies and process changes necessary to enforce the policies defined in Step 3. Compliance officers and security or legal teams must now find ways to ensure that policy is enforced. This involves implementing a number of changes across the organization:

  • Educational Changes
  • Process Changes
  • Technical Changes

STEP 5: COMPLIANCE AUDITING: Step 5 requires that organizations commit to ongoing and regular auditing of compliance levels and gaps between actual and targeted results.

Organizations must put in place mechanisms to monitor and audit the enforcement, appropriateness and effectiveness of their information security safeguards. The organization should conduct regular audits of compliance levels across the three critical areas of risk, security, accuracy and compliance. This could involve reviewing "sample" sets of documents or emails at random or analysis that is more empirical to track how many Microsoft Office documents left the company perimeter containing hidden data or a visible content violation over a certain period.


The 5-step approach is not intended to be a comprehensive answer to information security concerns, but rather a series of best practices, highlighting the key areas to consider: understanding the areas of information security vulnerability, assessing the scope of the risk within the organization, developing risk mitigation policies and implementing them, and finally, carrying out regular audits to ensure policy compliance.

Information security is an ongoing issue that requires action, measurement and periodic re-evaluation. Only through commitment and vigilance, can organizations manage the risk associated with business information and adopt effective measures to keep the regulators away while the customers stay - knowing that they are doing business with an organization they can trust and rely on to safeguard their information.

Joe Fantuzzi is CEO and President of Workshare. He is an expert at creating well-timed, high-growth businesses in broad markets. Bringing more than 20 years experience to Workshare, Fantuzzi helped create $3 bn market valuation as an executive for industry leaders in document creation (Interleaf), multimedia (Macromedia), 3D graphics (Autodesk) and online CRM (Kana). Previous to Workshare, Joe was CEO at Liquid Engines, creating the first strategic tax management application for global enterprises and attracted the Carlyle Group as its lead investor. Prior to this, Fantuzzi was co-founder and CEO at NetDialog, a venture-backed firm sold in 1999 to Kana (US $100m). He also served as General Manager at Autodesk Discreet, growing the company's market share from 20 percent to 65 percent. Fantuzzi was Worldwide Marketing VP at Macromedia from private firm through to its public offering, and International Sales and Marketing Director at Interleaf from private firm through to its public offering.

Data On the Data Leaks

  • 94 percent of respondents reported having no visibility into how many email messages containing confidential or private information were leaving their organization each month or believed that some leaks were occurring.
  • Only 6 percent reported no information leaks.
  • 80 percent of participants reported having information leaks - through email or other electronic channels such as Blackberrys or HTTP postings - or admitted to no visibility to leaks that occurred within their organization last year. Of those, 17 percent were afraid to know how many leaks they had.
  • More than 70 percent now believe PDF does not secure information, a growing trend from a recent rash of publicized information leaks in PDF documents. Alarmingly, 46 percent are still relying on PDF file conversion to enforce their information security policies.
  • 68 percent stated personally identifiable customer data poses the greatest information risk and 56 percent said a leak of this type would result in their company losing customers.
  • 57 percent do not have a specific method for enforcing data privacy and document security policies.
  • While 100 percent of respondents consider it important to protect information within their organizations, 80 percent consider it "extremely important."

Source: Workshare, The Insight Advantage


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»