DPC16_Banner_300x250-COPY
OneTrust_Webcon_BB_300x250_ad_04.25.2016.v5-01

Jeremy D. Wunsch, John L. Nicholson and Jeffrey A. Carr

Right now, employees and contractors are accessing and disseminating confidential corporate information in ways that may be harmful to their employers. Some employees are acting intentionally or even maliciously; others are compromising proprietary and confidential information inadvertently and ignorantly. In either case, the consequences to employers can be catastrophic.

Everyone has heard about companies getting burned from leaks of sensitive data. Wal-Mart, TJX and the U.S. Department of Veterans Affairs are just a few of the recently publicized victims of information security breaches that are costing billions of dollars in legal and recovery fees. While many cases involve deliberate acts of theft by insiders, there are plenty of examples where insiders unknowingly expose confidential data that malicious third parties then exploit. Some of the most insidious sources of inadvertent data loss are peer-to-peer (P2P) file-sharing programs, which are rising to the top of the threat list for network security professionals.

In the past, file-sharing risks were primarily assessed in the context of copyright infringement, illicit (or unacceptable) content, or even bandwidth escalation. Until recently, there has been a general complacency within the enterprise about P2P risks to information security. The competitive and financial costs related to information loss simply weren't considered in the context of P2P, and security resources were allocated toward other, more obvious vulnerabilities. The fact is that P2P protocols are becoming more prevalent, sophisticated and intricate than email or HTTP, resulting in greater risks for business. Even lawmakers in Washington are looking at this more closely after a July hearing indicated that the threat of P2P is greater than originally thought, according to court documents. The hearing was prompted by a report from the Patent and Trademark Office that said "several distributors of popular P2P networks have 'repeatedly deployed features' that trick users into sharing some of their files."

According to Insight Research's study, "Peer to Peer & File-Sharing Services Market 2007-2011," P2P networks and file-sharing services could generate up to $28 billion in revenue for carriers and ISPs over the next five years, and it is estimated that more than 50 percent of all current Internet traffic is P2P traffic. From a security perspective, many P2P protocols are being modified to specifically evade existing security tools such as Web filters, IDS/IPS and firewall rules. While some of these design choices are made based on good intentions, such as enabling communications in countries that limit freedom of speech or access to information, the reality is that these well-intentioned changes are helping users with more nefarious purposes in mind.

Recent Incidents Highlight Urgency in Addressing the P2P Threat

Incidents at companies like Pfizer and ABN Amro are expanding how we perceive P2P risks, especially as they pertain to data loss. Recently, a Pfizer employee who installed an unauthorized P2P program on a company laptop exposed Social Security numbers and personal data belonging to an estimated 17,000 current and former Pfizer employees. Additionally, ABN Amro recently learned that data for 5,000 of its customers was found on the BearShare P2P network and the original files containing this sensitive information were traced to the home computer of an ABN Amro employee.

According to a Dartmouth study released earlier this year, an estimated 10 million users share music, videos, software and photos over P2P networks  - up from 4 million in 2003. The study noted that efforts to limit P2P use only have prompted program developers to create decentralized, encrypted, anonymous networks that can easily poke through both corporate and residential firewalls. Some of this development is done with good intentions, but these changes can lead to problems for those who have a legitimate need to limit the access of P2P systems to corporate networks.

The good news is that business owners can significantly decrease the potential for corporate data loss from P2P networks via proactive prevention and protection with what is often referred to as "internal threat management." Effective internal threat management procedures not only help prevent these information leaks from happening, they also protect confidential and valuable information from exposure to unauthorized parties. By taking just a few simple steps, organizations can decrease risks and potentially save untold costs in time, resources, money and reputation.

The Keys to Effective Internal Threat Management

First and foremost, identify the information of greatest concern and where that sensitive data resides on the network. This analysis should include Social Security numbers, credit card numbers, driver's license numbers, trade secrets, merger/acquisition information, customer information, financial information and the like. This is not just a job for the IT department - other company stakeholders, like the human resources, legal and finance departments, should be included in the discussion of what information is valuable, and all departments should be involved in identifying where it is stored.

Many companies believe the most reliable methods for protection against internal threats are firewalls and anti-virus software. However, given the constant evolution of the P2P threat, such technical precautions can only do so much in the absence of appropriate policies and procedures. Consider Gartner Group's projection that "through 2010 we expect 80-90 percent of sensitive information leaks to be unintentional, accidental, or the result of poor business processes." This statistic is supported by the Pfizer and ABN Amro examples, where both individuals responsible for spilling the data were unaware of the leaks.

Companies should consider hiring an outside firm to conduct an internal threat assessment of the network and associated policies to identify vulnerabilities and establish benchmarks for compliance. It is essential to educate employees about company policies, including the reasons why such policies are in place, and consistently enforce them (that includes executives and IT). People are more likely to comply with policies when they understand the purpose behind them and perceive their enforcement as fair and even-handed.

Compliance and enforcement with policies also is important when a company ends up in court following a data breach. If a company can show that it had reasonable policies and procedures that were consistently monitored and enforced, that could go a long way toward reducing any fines or penalties imposed on the company.

Acknowledging the risk for data leaks from P2P file-sharing is an important step in protecting the enterprise. With escalating incidents, companies would be wise to immediately undertake a strategy to protect against this well-established threat.  

Jeremy D. Wunsch is the Founder, CEO and director of data forensics for LuciData Inc. With more than a decade of internal threat management and e-discovery experience, he is a leading authority in the development of internal threat management and data forensic solutions for companies and their legal counsel He can be reached at +612.604.0848 or at jwunsch@lucidatainc.com.

John L. Nicholson is a Senior Associate in Pillsbury Winthrop Shaw Pittman LLP's Global Sourcing Group. A frequent speaker on privacy, security and outsourcing, his practice includes structuring and negotiating complex IT and business process outsourcing agreements. He can be reached at +202.663.8269 or at john.nicholson@pillsburylaw.com.

Jeffrey A. Carr is the Chief Operations Officer for Red Lambda, a technology leader in distributed network security. He has more than 20 years of successful experience in technology sales, business development and start up executive management within the security marketplace. He can be reached at+303.717.2091 or at jcarr@redlambda.com.

Comments

If you want to comment on this post, you need to login.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

NEW! FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Schooled in Privacy

Looking to get some higher-ed in privacy? Check out these schools that include data privacy courses in their curricula.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

The Industry of Privacy

Take stock, compare your practices to those of other organizations, and get budget with these studies on the industry of privacy.

More Resources »

P.S.R.—One Powerhouse Program

The program is too good to miss. The speakers are world-renowned. P.S.R. brings you the best of the best in privacy and security. Don't wait: Register now!

Speak at the Intensive!

The call for proposals for our London event, the Data Protection Intensive, is now open! Submit your session idea today.

Time to Get to Work at the Congress

Thought leadership, a thriving community and unrivaled education...the Congress prepares you for the challenges ahead. Register today.

GDPR Comprehensive London: Last Chance!

The IAPP GDPR Comprehensive heads to London this fall. This is your last chance at this popular program this year!

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»