Critical data loss from within spawns new market

A shift in information security practices — companies are moving from firewalls that keep external intruders out to systems that keep proprietary data in — has created a small but growing market for federal agencies and information technology providers.

IDC, a market research firm, calls this market segment “outbound content compliance” and predicts sales will grow from $50 million this year to almost $2 billion by 2009.

Doug Jacobson, associate professor of electrical and computer engineering at Iowa State University and director of the school’s Information Assurance Center in Ames, said thieves can profit from attempts to illegally collect proprietary and personal data.

“What we’re seeing now that we didn’t see five years ago is that information like that can be turned into money,” Jacobson said.

Companies used to think that if they bought better firewalls, their data would be more secure, he said. “That is what we’ve been doing for the last several thousand years as a society,” he said. “We build walls and we hide inside and we keep other people out.”

But technology now facilitates an easy flow of information, especially outward. In addition to keeping hackers out, security technology needs to prevent insiders from exporting inappropriate data.

Nevertheless, he said, the outbound content compliance market contains fewer than 10 vendors. Jacobson said that from February 2005 to November 2005, organizations reported more than 51 million cases of lost personal information via stolen laptop PCs and other hardware, network breaches, or accidental disclosure.

“The whole public awareness of this data leakage problem has resurfaced,” he said, and not only because of the recent theft of a Department of Veterans Affairs laptop that contained personal data on more than 26 million veterans and their families.

In less well-known incidents, he said, sometimes 10,000 files are lost or stolen. “That’s not 26 million, but if you’re one of the 10,000, it’s a big problem.”

In a recent study by Deloitte Touche Tohmatsu, more than half the technology companies surveyed said they had had security breaches in the past 12 months, and most of them admitted they had not taken aggressive action to prevent future incidents.

“Addressing the insider threat is becoming more complex,” said Brian Burke, manager of IDC’s security products and services research. In the past, outbound content was mostly in the form of e-mail messages. Now many employees to carry sensitive information on mobile devices.

Proofpoint, a three-year-old messaging security company in Cupertino, Calif., found that almost 35 percent of the companies it queried said their business had been adversely affected by the exposure of sensitive or embarrassing information in the past year.

Keith Crosley, director of market development at Proofpoint, estimated that about one-third of the company’s business now involves internal content security. In its own survey, Proofpoint found concern for protecting identity and financial privacy rose from 64.3 percent in 2004 to 71.1 percent in 2006.

“Leak prevention isn’t just about e-mail,” he said. Companies and government agencies are interested in preventing data losses via FTP, instant messaging, and blog and message board posts, he added.

Until recently, health care and financial services were most active in the market. But in the past year, Crosley said, companies are looking to protect customer and client information from a best practices perspective. “The regulatory issues are secondary,” he said.

Proofpoint’s clients include defense contractors and government agencies such as the U.S. Agency for International Development. He said new business is coming from state and local governments as chief information officers start to focus on ways to standardize outbound content compliance solutions.