Zero In on Trouble
Vendors typically pitch outbound content management tools as automatic "reverse firewalls" to keep information in, via automated identification and blocking. But early adopters are usually wary of the automatic blocking pitch and have taken a much more nuanced strategy—primarily using these tools to identify risks, so that IT security staff and business managers can decide how to handle them on a case-by-base basis. Often, these tools can also identify areas for further user education and help investigate past breaches.

How does the technology work? Basically, the tools filter outgoing communication across a variety of channels, such as e-mail and IM, to identify sensitive information. They're based on some of the same technologies—like pattern matching and contextual text search—that help antivirus and antispam tools block incoming threats.

Tools typically come with basic patterns already defined for personally identifiable information such as Social Security and credit card numbers, as well as templates for commonly private information such as legal filings, personnel data and product testing results.

You can also have the tools analyze servers and other data stores to determine the patterns for anything a company considers important to safeguard, then set the rules for how the tools should react when such information is leaving the company. (For example, you could choose to silently block some outbound messages and warn users regarding others.)

Companies typically look for three types of information using these tools, notes Paul Kocher, president of the Cryptography Research consultancy. The first—and easiest—type is personally identifiable information, such as Social Security numbers and credit card information. The second type is confidential company information, say product specifications, payroll information, legal files or supplier contracts. While this information is harder to identify, most tools can uncover patterns of language and presentation when given enough samples, Kocher notes. The third category is inappropriate use of company resources, such as potentially offensive communications involving race.

"You don't really know what's going out of your network until you have a tool that can help you zero in," says BCD's Flynn.

With a real understanding of what information is flowing, you can develop an appropriate security strategy, Flynn says.

Educate Users
Security consultants advocate a multitiered strategy to protect sensitive information. In all cases, they recommend starting with basic user education so people know what behavior to avoid and what secure practices to follow—and they agree that content management tools can help identify where the risks are.

The First National Bank of Bosque County in Texas has its employees sign an information-security policy every year. "We remind them that if they send out customer information, they can go to jail. That's a pretty good reinforcement," says Brent Rickels, the bank's senior vice president.