Today’s business users are nothing if not productive, but too often they don’t think about if they are working with confidential data or if they are protecting it appropriately. The fact is, employees regularly save patient records to thumb drives, transfer customer data to personal devices, and email unreleased product plans to personal webmail. Although well-intentioned, their actions can expose sensitive business information to unnecessary risk. Add advanced threats by external attackers to the mix plus malicious insiders, who are intent on stealing corporate data for their own gain, and it becomes clear that data loss prevention (DLP) is no longer a nice-to-have, but a need-to-have.

CISOs are turning to DLP solutions to effectively protect valuable intellectual property (IP) and personally identifiable information (PII) and keep their organizations from becoming the next headline.  Symantec recently published a research paper examining how DLP programs impact the effectiveness of security executives while also protecting corporate data. We surveyed more than 130 CISOs, VPs, directors and managers responsible for the evaluation, selection, deployment and governance of their organization’s DLP solution.

I read with great interest The New York Times’ “Room for Debate” that discussed whether companies should disclose when they get hacked. When brands big and small suffer a data breach and lose customer data, they are required to disclose the breach based on various state privacy laws that mandate disclosure when personally identifiable information (PII) is lost. But, when hackers get in the backdoor and make off with other valuable IP, we typically don’t hear about it. Opinions on the matter of disclosure run the gamut. Some think mandatory disclosure of security breaches will telegraph weaknesses while others think disclosing cyber-risks is material and investors should know if a company can keep its crown jewels secret.

There’s plenty to debate on this front, but by focusing so much attention on hackers pilfering sensitive corporate data we’re ignoring one of the biggest threats to IP that companies face everyday – our own trusted employees. We need to consider to whom more corporate secrets are lost – the external attacker or the insider?

fren·e·my [fren-uh-mee] noun. Someone who is both friend and enemy, a relationship that is both mutually beneficial or dependent while being competitive, fraught with risk.

When it comes to taking your intellectual property (IP), employees are the less obvious player but they can be frenemy #1. In many cases, these trusted employees are moving, sharing and exposing sensitive data in order to do their daily jobs. In other instances, they are deliberately taking confidential information to use at their next employer. It’s not that these employees are inherently malicious – often they just don’t know it is wrong to do so.

With every New Year brings new beginnings and the opportunity to start fresh. While most feel this on a personal level, it fits our work lives as well. Risk managers in an organization (a role normally taken by CISOs) will not only face the plethora of regulations they must follow, but also the effect of employees who bring their own devices into the workplace and utilize virtualized technology assets, big data and cloud computing. With ever changing rules and technology, a typical CISO has their work cut out for them.

As we look forward into 2013, here are some of the risk management trends CISOs will face in the New Year:

• A company will be breached despite passing compliance requirements. This will cause practitioners to focus their security programs on risk management rather than only compliance.

As your dentist turns on his drill, have you ever thought that a little extra preparation – in the form of better brushing habits – could have saved you from this uncomfortable situation? Life is full of similar situations, when we experience consequences that may be avoidable by taking the right precautions. A major auto manufacturer suffered one of these unfortunate incidents recently, when they fired an IT employee who then turned around and stole sensitive intellectual property (IP) from the company. News surfaced last week that a disgruntled IT technician at an intelligence agency reportedly downloaded terabytes of data that he intended to sell. Fortunately, both organizations quickly spotted the IP thefts and have taken action against the alleged perpetrators.

Suppose you were being seated in a roller coaster car. You pull down your lap bar, and the guy sitting next to you refuses, saying he will just hold on while the car twists and turns and flips upside-down, because he finds the restraints uncomfortable. This is obviously foolish; the safety measures are there for a reason, and anyone who doesn’t use them is just asking for trouble.

Business security today is much like our hypothetical roller coaster, with its ups and downs that require protection for our intellectual property and other assets. And one of the most fundamental – yet widely neglected – security measures is the use of full disk encryption (FDE). Let’s look at some of the fundamental questions surrounding FDE, and why you should take another look at it.

Why aren’t more businesses taking advantage of it?

If you have kids you know how much they like jelly beans. Other than them being candy, I believe the multitude of colors and flavors greatly adds to their attraction. So I find myself in a large retail chain the other day walking past the aisle with USB drives. The store had all kind of USB drives in various colors, shapes and capacities, so I begin thinking of jelly beans. We all know if we do not pay attention and let our kids eat too many jelly beans that they can become sick, so I believe we are well beyond that point with USB drives. For our Enterprise organizations eating USB drives is most likely not an issue, but the public consumption / ownership of multiple drives is an issue. I personally know that I have over eight lying around in my household alone. Well I don’t believe the average consumer may have that many, however I would bet that most people own two or more.

In the constant war for information security between businesses and cybercriminals, we are so focused on the faceless, outside enemy that we often fail to recognize potential double agents within our own ranks. With so many resources devoted to preventing hackers and cybercriminals from getting past our external network defenses, it’s easy to neglect internally based intellectual property (IP) theft.

IP theft is staggeringly costly to the global economy: U.S. businesses alone are losing upwards of $250 billion every year. As it turns out, IP thieves are most often either current or former employees.  We trust most of our employees to do the right thing, but the malicious actions of a single person can jeopardize the health of the business and jobs for everyone.

In a recent court case U.S. v. David Nosal, Judge Alex Kozinski ruled that the Computer Fraud and Abuse Act (CFAA), the nation’s anti-hacking law, applies to people accessing data by circumventing technological access barriers, but it does not extend to employees violating their employer’s restrictions on the use of that information. Under the new interpretation, an employee who has valid credentials to access company data and then misuses that data, however inappropriately, cannot be prosecuted under the CFAA. However, an employee who has valid credentials to access a company computer, but hacks into company data for which he does not have authorization can be prosecuted under CFAA.

The reason for the new interpretation, according to the ruling summary, was that using the CFAA to take action against employees that violate use restrictions could lead to prosecution of millions of Americans for largely harmless activities at work, like Gchatting, using Facebook or playing games.

Can data breaches be stopped, really? This was the question posed by Larry Ponemon, chairman and founder of the Ponemon Institute, at the start of a panel discussion I attended at the RSA Conference last month. Experts on this panel seemed to agree on one answer – No.

The tongue-in-cheek response from James Christiansen, Evantix CEO and CISO, brought a room full of laughter when he said, “Yes, you just need to put the computer in a safe and bury it 30 feet underground.”

Jon Oltsik, an analyst at Enterprise Strategy Group, equated the situation to the war on drugs, “Border control may be able to capture some on the borders, but the problem continues to escalate and keeps getting bigger.”   John Townsend, Manager of Information Protection and Security, DTE Energy commented, “If we use the wall analogy, rather than having a brick fence what we now have is a chain link fence. While we have made some inroads, people are still not taking security seriously enough.”