PUNE, INDIA: Where is our information? How is it being used? And how can we best prevent and protect against its loss? CSOs and CIOs around the world share these three concerns. After all, in today’s information-driven world, safeguarding data is a priority.
According to the IT Policy Compliance Group, 68 percent of organizations are experiencing six losses of sensitive data annually, while 20 percent are suffering 22 or more sensitive data losses per year. And research from the Ponemon Institute places the cost of a data breach at nearly $200 per compromised record.
There’s no way organizations can continue to sustain those kinds of losses without finding a plug for all those leaks. To help mitigate the risks associated with doing business in the wide open world of high-speed bandwidth and mobile computing, businesses are turning to DLP. A number of DLP technologies have emerged that prevent the loss of data at one or more points in the information lifecycle—in transit on the network, at rest in storage, or in use on the endpoint.
But DLP is not about the technology alone. Beyond the hype cycle and the latest and greatest in vendor marketing on data loss prevention, there is no silver bullet—or silver plug—point solution.
To protect information and prevent its loss requires technology combined with people and processes. An effective DLP strategy aims to reduce the potential for data loss not only by enabling companies to deploy automated controls, but also by helping them identify risk, establish policies and processes, and educate users.
Getting attention
Just as DLP is not simply a technological solution, protecting information is not just an IT concern. In fact, it’s very likely that IT may not always know what information is confidential and what is not. Preventing the loss of data is a business problem, and it requires a business solution. Consequently, before implementing technology to prevent data loss, key stakeholders and business unit managers must first come together to identify the data that most needs to be protected.
Because DLP isn’t an exclusively IT-driven discipline, it requires cross-team support and alignment from a variety of others, including Facilities, compliance representatives from Legal, enterprise risk managers, HR, Marketing, and Sales.
What does it take to get attention for DLP initiatives in today’s enterprise? In most cases, it means making a compelling business case – and getting the right information to the right people in the right language.
Here are a few key steps that will likely help:
· Choose your words wisely. Speak in terms of business advantages. Rather than talking about the threat of misuse or a malicious attack, consider simulating the impact of a potential incident in terms of consequent business loss.
· Use headlines to your benefit. Most business leaders dread the thought of the "orange jumpsuit retirement program." There’s a steady stream of privacy and data leakage issues that will continue to make the headlines. Make use of these "public hangings" to illustrate the real risks and move away from the incident probability statistic deadlock.
· Establish your milestones. Before seeking cross-team support, establish three milestones you expect to meet and explain in business terms how these milestones will provide returns to both IT and the business.
Assessing risk
To be clear, the identification process does not mean classifying every piece of information that comes into, goes out of, or is stored within the organization. To the contrary, it means identifying the few types of information whose loss would result in the greatest negative impact for the company. This is the information to which DLP will be applied first. For some organizations, this might be source code, product designs, and similar intellectual property. For others, it might be customer information or financial data.
A number of DLP solutions include a risk assessment component in which network activity is monitored for a two- or three-day period. A report is then provided that shows the organization what data is going out through the network as well through each department, and how often it is going out. This report can be invaluable in helping companies determine what kinds of data are most at risk and which departments are creating the greatest exposure.
Setting policies and processes
Once an organization has identified the actual data requiring protection, this information serves as the foundation of the company’s data loss policy. The organization can then design processes in order to monitor for data loss incidents and measure their progress in reducing risk over time. It is critical to be clear on who does what in the event of a breach, so that should a crisis occur, the right people are following the right processes to mitigate risk.
For example, IT security as well as the involved employees and their managers may need to be notified. If malicious behavior is suspected, it may be necessary to bring in forensic and legal specialists. If a major breach occurs, public relations may play an important role. And business unit managers will want to be able to track their data loss risk over time.
Today’s more comprehensive DLP solutions can be configured to monitor whether the company’s most important data goes out through a certain gateway, off a particular endpoint, and more. Organizations can use the actual information they know is important to define the policy and then match it exactly.
The newest DLP solutions also employ intelligent incident response capabilities so organizations can automate policy enforcement with flexibility. The inclusion of analytics and workflow enables the system to calculate incident severity and automatically deliver the appropriate level of enforcement. Better yet, by offering templates based on industry best practices for incident response and remediation workflow, these solutions can significantly reduce configuration time for IT.
Raising awareness
The effectiveness of even the best technology and processes can be undermined if employees do not understand the value of their company’s information assets and their role in mitigating risk. With heightened awareness, however, employees can also become a company’s strongest line of defense and its most valuable security asset.
But how? Formal security awareness training programs can certainly help, as can clear security policies. Yet perhaps the most effective education comes through intervention at the time of action. After all, many data breaches are the result of simple user error. People make mistakes. They forget. They misunderstand. But they can also correct themselves—if they know they erred.
A robust DLP solution makes it much easier for users to not only know corporate data loss policy but also to follow it. By providing various levels of real-time response, from remediation to notification and prevention, DLP provides on-the-spot correction. The cumulative impact of such automated efforts can be significant. In fact, one Fortune 100 company observed a 90 percent drop in data loss incidents just 10 days after enabling the automated user notification capabilities within its DLP solution.
Clearly, in today’s wide open world, CSOs and CIOs in businesses of all sizes are committing to protecting their data, regardless of where it is sent, stored, or used. With the help of DLP solutions that leverage people, processes, and technology, businesses can not only gain insight into where their data is, who is using it, and where it is going, but they can also effectively manage and control information risk exposure now and in the future.
The author is Managing Director, Symantec India.