Demystifying data loss prevention

Is ignorance bliss? Not when it comes to data loss. Every organisation has lost sensitive data, most just don’t know which data, where, when, or how.

But regulatory requirements for public notification of losses will mean Australian organisations will gain visibility the hard way—in the headlines. And bad news travels fast.

Data loss will become a big issue over the next few years due to the privacy commissioner's draft guidelines for voluntary notification and the forthcoming Australian Law Reform Commission recommendations on a mandatory scheme.

Similar regulation such as the credit-card industry's PCI and the various disclosure laws have been the best stick the industry has found to beat companies over the head with, and it works.

Regulation forces companies to take security more seriously, and sells more products and services.

Getting caught losing sensitive data is expensive. There are significant hard costs in mitigation and remediation to affected individuals, as well as regulatory fines and fees to support increased audits.

However, often unappreciated are the soft costs to brand equity and competitive advantage. Enterprises will be penalised in both the court of law and the court of public opinion.

Only recently I heard of an organisation that lost a lot of data, but they were not mandated to tell anyone and they went out of their way to ensure it stayed out of the headlines.

Somebody broke into their datacenter and stole some of their critical data, and they did it with a chainsaw and a truck. They cut a hole in the wall and stole ten servers.

Of course the data was unencrypted because the servers were live online. It's probably an inside job, as someone knew what to take, where the cameras were, and what wall to cut through.

For enterprises, the weakest link is often the insider-problem.

Your people can cause havoc within your organisation so you have to hire trustworthy people, you have to minimise the amount that you trust them, educate them on good practices and keep a close eye on what they do.

Data loss prevention (DLP) solutions show where data is going, the magnitude of the data loss problem and how data is escaping.

However, gaining visibility into the problem is not enough. Sophisticated organisations will quickly realise the policies in place are not being enforced and will find new ways to avoid detection.

To combat this behaviour, an organisation’s DLP solution must be a seamless mesh between content-based recognition; comprehensive coverage across physical, application and network channels; and a robust device-control framework (USB, CD/DVD, iPod, Bluetooth) at the endpoint.

This combination efficiently closes the gaps so organisations can rapidly deploy monitoring and apply automated enforcement actions in response to any violation.

They can also mitigate data loss risks from business initiatives such as outsourcing and integrated supply chain management.

With DLP, enterprises get pragmatic security protection that serves many goals: comply with government regulations, preserve brand value, protect customer privacy, and retain intellectual property.

The goal is simple: accelerate the DLP adoption process to protect business data, stay out of the headlines and get on with the next project.

By Carlo Minassian, CEO and founder of earthwave, Australian IT Managed Security Services provider.

datalosspartpreventionsecurity