Myth No. 1
Information leak prevention is the security administrator's problem.
Securing companies from external threats such as viruses has long been in the security administrator's realm, but securing the company from information leaks requires a much broader view. Today, the challenge of protecting sensitive data spans business units—from IT to the legal department to the boardroom. Every day, CIOs face the challenge of putting the necessary technologies and processes in place to protect confidential data and comply with federal regulations, but they have to accomplish this without impeding daily business operations.

Myth No. 2
If I block instant messaging, Web-based e-mail and external storage devices, I don't need to worry about information leaks.
Controlling instant messaging, Web e-mail and external storage devices may increase basic data security; however in today's connected world, putting tight restrictions on information flow can hinder business process and ultimately constrain company growth. Effective leak prevention requires the ability to keep information inside the company's walls without disrupting its legitimate use for normal business operations. Information management requires a balanced approach. Best practices include building leak prevention policies around things like instant messaging and Web usage, as well as using a growing number of technologies such as endpoint security and encryption technology to enable employees to leverage external storage devices safely.

Myth No. 3
I know where my data resides.
Most companies don't have a good handle on where their data lives, whether on file servers or company laptops. Understanding who has access to data and where it flows inside and outside the network is crucial to managing information. In addition to identifying sensitive information, CIOs must understand other areas of exposure, such as unsecured endpoints and whether Internet use policies for common data loss vectors (like instant messaging and Web surfing) exist and are being enforced.

Myth No. 4
I should be most concerned about protecting my data from data theft and malicious internal leaks.
Malicious data leakage and theft is certainly important to address; however most leaks are not intentional. Mistakes, deviations from existing business or IT processes, and the negligence of employees and contractors can result in leaks. In fact, according to Forrester Research, more than 70 percent of all leaks are accidental. With e-mail auto-fill for the intended recipient on nearly every computer, it is easy to see how e-mails accidentally get sent outside the corporation. When developing an effective information leak prevention strategy, you must focus on accidental data loss to address the majority of the day-to-day risk.