Stamford, CT – February 11, 2005 – I remember a few years ago going to a potential customer to do a security assessment. Back in those days, the chief executive officer and the chief information officer were completely uninterested in data security, and the meeting was always with an administrator or manager. Naturally, they had all the currently available perimeter protections: firewalls, routers and virus scanners. But that's where they stopped.

Having spent the past 15 years working on solutions for this growing business issue, I gave him my long-held opinion that the data was at much greater risk sitting in the database on his computer, than it was flying over the Internet. I pointed out to him that anyone could easily walk over to one of his machines, connect to his server and copy his databases onto a removable drive. I'll never forget his response: "I trust my employees." A very noble sentiment and a correct one. However, as Ronald Reagan said: "Trust, but verify."

It is a truism that others will accord no more respect to your property (intellectual or otherwise) than you do yourself. I trust the guests that I invite over to my house, but I don't leave money sitting around on the table in front of them. Banks have locks, guards and alarms to defend against break-ins, but they still don't leave piles of cash lying around on the floor at night. Business and government are spending all their effort preventing the "bad guys" from getting to their databases and almost no effort into protecting their information when they do get it.

Data owners taking notice
What has changed over the past few years? As I wrote in an article several years ago, the problem was that the people charged with protecting the data (managers and administrators) were not the people who owned the data (CEO, CIO, etc). Not only were the data "owners" not making the decisions, they weren't getting involved in the decision-making at any level. Secondly there were little or no financial consequences (other than a red face) for not protecting the data. "Best practices" always focused on preventing people from getting access to the data -- not what to do once they did get access to it. So as long as businesses were following "best practices" they were in the clear.

But now, with industry groups, government agencies and even insurance companies talking about imposing real consequences, finally the "owners" of the data are starting to take notice. The time is coming that companies will be held accountable legally and financially for careless behavior with customer or employee data. And unfortunately, companies around the world are proving time and again how careless that behavior is. High-profile cases like the recent People's Bank data loss, as well as Marriott and Bank of America last year, have demonstrated this to the public far too often now. Clearly, measures to deal with this growing "technology epidemic" are not being put into place fast enough.

Companies are also being frozen into a position of inaction by the sheer amount of information being disseminated. Many large security companies have a vested interest on selling the most costly, complex, all-encompassing solutions they can. The most complex solution, marketed to solve all security problems, is rarely deployed properly. Or once deployed, it is hardly ever administered properly. If it takes an administrator an hour to configure a new employee in a large corporation, you can be sure that shortcuts and workarounds will eventually become the norm.

More often than not the best security can be several layers of simple, easy-to-deploy solutions. Companies often delay implementing data security practices because they are daunted by the potential cost and complexity. I've personally seen decision-makers frozen in a state of indecision due to their fear of the unknown.

First steps
There is no perfect security solution, but don't let the apparent complexity of the problem prevent you from taking the necessary simple steps.

It's important that you start doing something, or else you are simply inviting everyone in.

The vast majority of people will not step over the "shouldn't do this line." If you make it clear that certain data is off limits and put some barrier to obtaining it, then most (but not all) people will respect that. What message were People's, Marriott, and Bank of America sending when they left critical databases and backups unencrypted?

The first step is to limit physical access to hardware, where feasible. It is virtually impossible to maintain security if there is unrestricted and unlimited physical access to a machine.

After that, make sure that critical data on backups, desktops and laptops is encrypted, not just the data on servers. Remember that sometimes the person you need to protect against is the backup operator, or the desktop or laptop user. Therefore, built-in Windows protection is not always the answer. For critical backups, consider implementing a layered encryption so that backups cannot be decrypted by a single person (e.g., the backup operator who just quit).

Stop using passwords and start using pass phrases. Pass phrases are expressions or combinations of words that are easy for you to remember but difficult for other people to guess. Preferably something from your everyday life that will jog your memory, but not something "about" you (e.g., nothing involving your kid's birthday). For example, if you pass four traffic lights on the way to work, your pass phrase could be pass4lights. If you choose GB1764T, you'll probably end up writing it down on a sticky note on the side of your monitor.

Remember that there is no perfect security. You have to put in enough barriers so that the difficulty of getting to the data makes it far less worthwhile for someone to try to steal it. Remember -- most attacks are not done by Einsteins. They are looking for low hanging fruits.

At the end of the day, the importance of protecting sensitive data can no longer be ignored. The new mandates by government and insurance companies as well as the rise of the "cyber police" enforcing this issue is a clear sign that this is the top priority for businesses now and in the foreseeable future. And to be quite honest all I can say is that it's about time.

Pricing
Available on request. Encryptionizer for SQL Server is licensed per-server, and must be installed on each server in a cluster. Volume pricing and OEM licensing is available. Time-limited evaluation versions are available at no charge by filling out the form on our web site, www.netlib.com.

About NetLib
NetLib is a leading innovator of data encryption security software for the enterprise and developers. The company offers an unparalleled track record of success combining its award winning, innovative software with nearly 20 years industry expertise developing security software. NetLib offers the most scalable and easy to deploy solutions to protecting your data wherever it resides. Companies and developers alike also benefit from a low total cost of ownership and improved operational efficiencies with no ongoing administration or programming required. Encryptionizer ® , the company’s flagship product, is a developer friendly tool that offers a flexible environment enabling automatic, whole database or file encryption as well as an optional API set. Based in Stamford, Connecticut, NetLib has been helping Fortune 100 companies, small and medium sized business, and developers worldwide provide enhanced protection of data and intellectual property since 1986. For more information, visit us at www.netlib.com.

NetLib and Encryptionizer are Registered Trademarks, and Col-E and Repeating Values Protection are trademarks of Communication Horizons DBA NetLib. US and International Patents Pending.

Press / Analyst Inquiries:
| (203) 286-2885