Data loss, either by accidental employee oversight or via a
targeted Web or email attack, is not merely hype. Over the past few
years, millions of customer records containing sensitive data have
been lost or stolen and many more have gone unrecorded.
Employee error and broken business processes are frequently
contributing in both unintentional and malicious data loss. Modern
technology has changed the face of business and opened up many
opportunities. However, the proliferation of information stored and
shared electronically is proving to be rich pickings for aggressive
fast moving security threats. Businesses are well aware that
information is their most valuable asset, and its loss can have
major consequences. In addition to this, regulatory compliance is a
major concern for many industries.
Adopting both policy and educational programs helps remedy
broken or risky business processes. Penalties for data loss
can be huge… fines, law suits, lost customers and negative
PR. So it’s vital for users to understand how to secure data.
Further, training employee can help in educating them on the
established policies and enhance general security practice
overall. And, technology based approaches like encryption and
IDAM and DLP technology combined with policy and educational
programming greatly reduces data loss across an organization.
False starts and common mistakes
Many believe that data classification is the first step in DLP
and a step which (mistakenly) leads to literally all data being
classified (even public information). This inevitably creates false
positives and is not an improvement on the opposite end of the
scale where nothing is classified which leads to false negatives.
The other mistake occurs when the classification is unclear and
everything falls into a ‘default’ classification
category as people can’t decide what is important.
What’s the alternative? The answer is actually quite simple
and lies in context combined with intelligent Out-of-the-Box
Policies within a comprehensive DLP strategy. The ability to
accurately identify sensitive data, wherever it may be and wherever
it is going, is key for any DLP solution.
Planning a Comprehensive DLP
Strategy
When planning a comprehensive DLP strategy, the
following practices can reduce the risks of malicious threats, save
costs associated with data management and security and help meet
regulatory compliance.
1. Identify, Monitor and Protect
It’s important to identify what data is confidential, monitor
where the information is going and then implement protection
controls to ensure it is only going to the proper
individuals. This crucial step provides a better
understanding of an organization’s business processes and,
therefore, enables them to develop sound data security policies to
protect data.
2. Web and Email Content Control
Implement a technology solution that can inspect and control
content over the Web and email. Data loss via the Web is four times
more likely than email. When you email, you’re mostly
emailing your peers at work. But when you’re talking
about the Web, every transaction or communication is outside your
organization. For a security or IT team to be efficient and
successful at protecting against data loss, it’s also
important to look for ways to consolidate monitoring protocols and
have a single inspection gateway.
3. Understand the Laws and
Regulations
It’s also important to understand the data laws and
regulations of the country where the business resides and
operates. This is critical since operating in a specific
country or state may subject an organization to its laws.
Therefore, it is important to be in cognizant about the content in
use and the context, and consider the capacity of the solution
deployed to create this awareness and enforce sensitive data
policies.
Future trends for DLP
Through proper employee education, understanding of where
sensitive data moves within organization – and through
what channels - combined with proper processes and technology in
place to safeguard, organizations can increase the security within
organization and meet regulatory requirements for all the areas and
regions in which the company does business.
Comprehensive data security is multi-faceted, addresses the
entire flow of data and must consider various factors requiring
simple and unified management. With a proactive approach to
intelligently identify, manage, monitor and secure data,
implementing DLP technology can mitigate the risk and simplify the
task of ensuring regulatory compliance. As the sophistication of
threats increases, so too should the technology that protects the
data that the cybercriminals are trying so hard to steal.
The future of DLP technology is unified content security: a
solution which can intelligently identify, manage, monitor and
secure data using integrated Web, email, and data security
technologies to provide the best security for modern threats.
Didier Guibal is EVP, Global Sales at Websense