By now, it should not surprise you that sensitive and confidential data is on your network. Corporate strategy and intellectual property, staff working and personnel files, customer and partner account requirements, client identification numbers and histories, even competitor documents�you name it, it is out there somewhere, on your network.

The Illusive Data-at-Rest

While all critical data must be sheltered, the real information security challenge centers on that truly illusive data set: the unstructured portion of the data pool (we are talking about the millions of files scattered across your network storage devices, servers, laptops, and desktops), into which organizations have little visibility. These files (PDF, PST, Excel, Word, etc.) often encompass 70 to 80 percent, on average, of an organization's data pool and almost always represent multiple terabytes, even petabytes, in volume. This information often is described as "data-at-rest" (as opposed to "in-motion") because it sits on disk drives, waiting to be accessed by the right-or wrong-person.

In its March 2006 report, "Protecting Confidential Data," the Enterprise Strategy Group estimated 95 percent of unstructured data types are confidential in nature. Even a slightly smaller percentage remains startling. Under most traditional scenarios, however, this data-contained in documents, emails, spreadsheets and the like-is accessible yet especially difficult to identify, track, and, therefore, protect.

Even the most stringent intent to protect and the most calculated data storage policy can be exposed, even deteriorate, by the sheer nature of the data and its use, again, which stem from the classic necessities of doing business. Operational realities-such as the need to consider, copy, manipulate, share, update, and review information as well as the likelihood of dispersed storage and multiple, often disk-drive-based, copies-put chinks in the armor of traditional best-practice data security measures.

The bottom line is, despite best efforts, for the largest slice of the data pie, most organizations do not know all of the places where sensitive and confidential data resides, let alone, have the chance to incorporate it into reliable information security practices. When it comes to information security, typically, unstructured data has the least visibility and, therefore, generally, the lowest level of protection.

Hey, Breach Happens

Specifically unattended to, whether aware of it or not, the large majority of entities experience a data-at-rest security breach. End of story. Breaches happen. Without a targeted, all-encompassing, automated, proactive solution-a dependable method of finding and protecting unstructured data regardless of locale-an information security breach is a given for this data class.

The most common concerns are exposing non-public information and the possibility of data being corrupt or lost forever, whether due to unintentional error or outright theft. Equally concerning is the possibility that inappropriate materials reside on the network. Whether it is a client's credit card number, new product design specifications, or an inappropriate employee download, largely unidentified and unsecured, every organization in practically any industry, faces increasing risk and liability because someone who should not have access to information might gain access.

Each day brings news of serious violations. Behind the scenes, real-world examples of potential breaches discovered before they could occur include an audit at an accounts receivable company, which exercised legislative compliance and demonstrated its ability to protect client data to its auditors. The discovery revealed approximately 4,000 violations in 400,000 files searched. In another real-world case, a payroll processing company discovered the social security number of its own CEO was out on the corporate network.

The Law Is Not on Your Side

Because risk is assumed, in order to defend those affected by a security breach and to encourage organizations into better solutions, a growing list of regulations (primarily federal, but also global and stateside) are emerging to address the common failure points and the possible negative consequences. All corporations have heard of the Sarbanes-Oxley Act, SEC 17a-4, and the Statement on Auditing Standards. Customer-focused organizations know about Gramm-Leach-Bliley. Those in healthcare adhere to HIPAA. The financial services sector deals with the Payment Card Industry Data Security Standard.

And, in one of the very newest regulatory developments, on May 3, 2007, lawmakers in the nation's capital took the first step in passing the overarching Personal Data Privacy & Security Act and the Notification of Risk to Personal Data Act (which were passed by Senate committee and introduced into the full Senate). Meant to be a double-fisted punch in the fight against identity theft, the laws specify directives and increase liability associated with breaches to the protection of individually identifying data. Both the party failing to protect and any party or parties benefiting from that failure can be prosecuted.

So, while certain industries are subject to very particular laws, and personal data is to be protected with the utmost care, all organizations must take and demonstrate effort to prevent a data-at-rest information security breach. No matter what type of business or industry, data that is meant to be maintained as private cannot go public due to an obvious neglect. A savvy organization will act fast to protect (or eliminate, should it wish) sensitive, unstructured data on the network.

A Breach Will Cost You

While published estimates of the actual cost of a single data breach (inclusive of direct and indirect costs) vary from hundreds of thousands to millions per breach, one thing is clear: a breach will cost you. If business-critical information falls into the wrong hands, civil fines, criminal penalties, restitution expenses, as well as fees associated with rectification steps can ensue. And, should the breach be severe, or, perhaps go uncorrected for long enough, the implications are much worse. A systemic breach problem may cost your business.

Per incidence, a few expected costs may include legal and public relations fees as well as costs associated with changes in auditing processes, security procedures, or customer notifications. While immediate order cancellations can be tracked, lost opportunity costs, which will vary by industry and circumstance based on supplier switching ease, are the biggest unknown. Even the mere mention of a breach opportunity coming to pass can cause long-term organizational credibility and valuation to plummet.

Those trying to develop a methodology for calculating organization-specific costs can follow industry analyst group guidelines, including some suggestions put forth in the April 10, 2007 Forrester Research piece, "Calculating the Cost of a Security Breach." Forrester advocates calculating a per-record cost to get at breach financial risk. On average, the group estimates that per-record costs can range from $90 to $305. Because a breach can involve tens of thousands of records, again, we are likely talking millions, perhaps billions, in cost-not much in comparison to what an effective solution costs.

Take Proactive Action

Without question, unstructured data security best-practices incorporate detailed assessment services aimed at determining the level of threat and actions to take. The newest federally proposed personal data protection legislation actually requires a risk assessment to identify reasonably foreseeable vulnerabilities. Being proactive in complying with regulatory requirements as well as avoiding business bottom-line perils means any actionably valuable assessment must include the following:

• Definition of what is at risk (by file type, search term, location area)
• Identification of all non-public data
• Calculation of risk exposure as well as estimate of data disclosure or loss
• Labeling of approved storage available for indexing, archival
• Establishment of policies, procedures, practices, and continuous solution plan
• Presentation of analysis and findings

With an assessment in hand, so data protection is up-to-date, implementation of any solution plan must include determination of how to safely automate

• Identification processes,
• Migration processes,
• Encryption methods, and
• Access permissions.

Without technology-based automation, organizations leave room for manual inaccuracy. As such, even the most comprehensive assessment can fail to equip a company.

The Pivotal Role of Technology

While enterprise content management (ECM) solutions do something to assist in the unstructured data identification process, ECM carries an organization only part-way to where it needs to go. On average, an organization may only have 5 to10 percent of its files in an ECM repository, leaving the large majority of files, and any associated sensitive and confidential information, unidentified and, thus, open to security breach. Tested technologies, from dependable companies with top-tier solution partners, are on the market today to automate and fully carry out the task of attending to all files scattered across enterprise networks and not residing in an ECM repository.

The right technology solution also will

• Increase visibility and understanding of files on corporate networks,
• Reduce discovery times,
• Reduce unnecessary stores (duplicate/outdated copies, inappropriate downloads),
• Limit sensitive and confidential data proliferation on a regular, scheduled basis, and
• Deliver reports for auditing purposes.

The best technology

• Addresses a comprehensive list of data types,
• Performs irrespective of physical location and among distributed architecture,
• Centralizes unstructured data protection,
• Deploys quickly and easily,
• Integrates with existing infrastructure, and
• Scales to future requirements.

Most importantly, a combined assessment-technology solution permits an organization to stop harmful practices in their tracks, before they cost a cent in liability or loss.

Questions to Ask When Determining Your Ideal Unstructured Data Management Solution

When searching for the ideal unstructured data management solution to install on your network, ask yourself the following questions:

• Does the solution crawl, classify, tag, and report on sensitive data? Does it offer support for various file types, including .doc, .pdf, .pst, and more (including DICOM, MS Access, FoxPro)?
• Does it include terminology/keyword searching, Boolean support, pattern matching, and rule-based extraction?
• Is the search process automated?
• Is continuous security scanning and monitoring included?
• Is the data easily managed, to enforce policies and permissions?
• Is the data moved to the approved storage location?
• Do options include copy, delete, migrate, and encryption?
• Is manual intervention allowed?
• Can the solution scale to identify and index billions of documents?
• Is the product non-disruptive to my existing environment architecture? Does it require additional software?

Lastly, look for a vendor that has industry partnerships with large, established vendors to offer increased integration into different types of environments, and a proven track record to validate product excellence.

Despite the product you choose to get the job done, it is possible to keep non-public information out of the public realm with the right solution. Hear this: the unstructured data challenge can be met.

Michael Marchi is vice president of solutions marketing at Kazeon Systems.
www.kazeon.com