Technological and Information Governance Approaches to Data Loss and Leakage Mitigation

Abstract

While foreign national cyber-attacks tend to garner headlines, organizations should also consider “Data Leakage” incidents caused or perpetrated by insiders, whether intentional or otherwise. But addressing Data Leakage is especially tricky because of two integral aspects that require a nuanced approach to finding a solution: (1) Data Leakage is a problem that often affects organizations within their firewalls. Data Leakage therefore presents a conundrum where employees are both the potential creators as well as the potential solution(s) to an insider threat. Solutions to this conundrum present a challenge where strictly adhering only to an existing policy diminishes an organization’s otherwise beneficial ability to react to rapidly changing environments. But organizations are not naturally policy-driven, as the vast majority of employees—and data transfers—are not puppets of an omniscient author. So, while a perfect policy with perfect application (by perfectly informed employees) would be the best solution, that panacea simply doesn’t exist. (2) While Data Leakage can be malicious in nature, malicious intent need not exist. Most employees and data transfers are not solely policy driven (and therefore cannot be treated as such in service of their jobs). Instead, many—if not most—potential Data Leaks will be perpetrated by people accidentally or guided by malicious direction or incompetence. Considering the duality of roles employees play in Data Leakage and that the hazardous outcomes are often accidental, we conclude that strict policy adherence is neither feasible nor available. Instead, a partially directed, partially improvisational approach is an appropriate means by which an organization can consider and address Data Leakage issues associated with Insider Threats.