No company is an island.

Today, even the smallest enterprise hands over back-office functions to outsiders, interacts with suppliers and clients through joint supply-chain management systems or uses software applications that live on the Internet.

As a consequence of this interconnected style of doing business, companies are at greater risk of having confidential information spill into the outside world, either accidentally or through some form of data theft. “We’re seeing a growing number of instances where contractor personnel are being bribed to steal” data from their clients, warns Jay Heiser, a research vice president with Gartner ^[1], the IT research and consulting firm, who recently wrote a report on data security.

It is possible for companies to simultaneously share data with business partners and safeguard it from falling into the wrong hands, according to Heiser and other security industry experts. To do it, they recommend that companies create a data-security policy, use software or hardware appropriate to a particular situation and require any outside party that’s privy to sensitive company information to sign a non-disclosure or other types of contracts.

Before a company so much as transfers a file, managers need a data-security plan to chart how they’ll handle sensitive information, security experts say. According to Javed Ikbal, principal with zSquad ^[2], a Boston IT security consulting firm, such a policy should include:

• What company information is confidential, how that material is labeled, where it’s stored and who has access to it
• What company information can be shared with which third parties and under what circumstances
• Familiarizing all employees with data security policies, through written materials, education sessions or both
• How data security policies will be monitored

In creating data security policies, companies have to weigh the cost of putting systems in place against the value of the data, Ikbal says. If something’s worth $10 “you don’t put a $10 lock on it, that doesn’t make sense,” he says, but if the price is information is high “you take reasonable measures” to keep it safe.

Controlling access to corporate documents

When a company sends a business partner an e-mail or file, it gives the partner implicit permission to copy, forward or otherwise use the information as the partner sees fit, even if the material was originally encrypted, according to Heiser, the Gartner analyst. While that’s acceptable in many circumstances, in others a company may want to share information but restrict what a partner can do with it. According to Heiser, there are several basic methods of doing this, or what security experts refer to as mandatory access controls. They are:

• Digital Rights Management — Standard encryption allows the recipient of an encrypted file to use the same key to unlock it over and over again. Digital right management from Microsoft ^[3] and other vendors is an extra-strength form of encryption that requires a recipient to request a new key each time they want to open the same file. Digital rights management is useful for companies that publish things like price lists that may need to be updated often, Heiser says.
• Secure ICA — This proprietary, heavy-duty encryption technology from Citrix ^[4]lets a company put a secure version of an application on the Web where a contractor, outsourcer or other business partner can access it remotely.
• Virtual machines — Secure virtual machine technology such as VMware ACE ^[5], Moka ^[6] or Sentillion’s vThere ^[7] allows a company to create a software-based virtual computer within a physical desktop machine or laptop. A company can load a virtual machine on a CD or memory stick and give it to a contractor or business partner so they can access applications or files they need but not to the company’s entire intranet or database, Heiser explains. “But if administration doesn’t want a contractor to copy information from that environment to their laptop they can’t,” he says.
• Web-based secure portals — Heiser recommends BoardVantage ^[8], a proprietary, Web-based, secure portal for companies that need to share highly sensitive or regulated information, such as quarterly financial reports, with an outside board of directors. Information and communications between users gets funneled through a secure “vault” on the Web so there’s no chance for sensitive data to get copied or leak out of an email, Heiser says.

Companies need to back up policies and technology with contracts that spell out the penalties a business partner would incur for breaching any part of the agreement. Contracts can’t physically prevent things from happening “but they provide the incentives for someone to do what you want them to,” Heiser says.