There are many egress vectors for information and data leakage. While certainly not a complete list some examples of these egress vectors include personal e-mail, P2P, unauthorized encrypted transmissions, malware infections in endpoint devices, unauthorized PDAs, smart phones and MP3 players, social engineering both electronic and non-electronic, faxing to personal e-mail, unauthorized media (CD/DVD, USB Drive, Memory Stick, etc., and traditional postal and overnight services.
In any given organization there are no doubt additional egress vectors for information and data leakage that may be specific to the type of business being conducted. The important thing is to understand what these outward vectors are such that appropriate controls can be defined and instituted to provide the required level of security to the majority of the information in the environment. The previous statement was crafted using the word "majority" for a good reason. That reason is that like any other set of security controls nothing should be considered fool-proof. While it is essential that an organization takes every reasonable precaution to protect its restricted data, it is impossible to ensure that all data is secure all of the time, especially if you are in a business that by its very nature is a target for information leakage.
How to protect against data leaks
Now that we have briefly visited the "How" that describes some of the more common information and data leakage sources, we move to the second part of "How." This second part of "How" will be an attempt to describe how to institute a set of controls that will provide the optimal level of protection for an organization.
The best chance of accomplishing this will be to remember that it is vital to not depend on any one type of solution or process. There are a variety of tools and techniques, both technical and non-technical to assist the security professional achieve the appropriate and reasonable level of security for the various types of information and data that typically exist in an enterprise.
The defense-in-depth concept is alive and well when it comes to protecting against information and data leakage. The only difference here is that when applied to infrastructure we tend to start at the outside and work our way to the inside. Assuming that we have done a reasonably good job of securing that infrastructure, for the purposes of data leakage we need to shift our thinking a bit and look to work from the inside to the outside.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.