I don't really have to tell you that data needs protecting. You should already know about the need for heightened security measures to prevent the loss of confidential information and regulated data.
Yet the proliferation of data compromises reported across the world, such as the misplaced USB key containing thousands of patient's medical data from the Canadian Durham Health Authority and the recent theft of confidential information from Kent Police in the UK, reinforce this need and speak for themselves. Incidents of data loss, be it by accidental employee oversight or via a targeted web or email attack, are not merely hype. And they are on the rise.
Over the past few years, millions of customer records containing sensitive data have been lost or stolen and many more surely go unrecorded. Employee error and broken business processes are frequently contributing factors in both unintentional and malicious data loss.
Modern technology has changed the face of business and opened up many opportunities. However, the proliferation of information stored and shared electronically is proving to be rich pickings for aggressive fast-moving security threats. Businesses are well aware that information is their most valuable asset, and its loss can have major consequences. In addition to this, regulatory compliance is a major concern for many industries.
Making positive strides
Recent research shows that:
- 35% of malicious web-based attacks include data-stealing code;
- 58% of all data-stealing attacks are conducted over the web.
Attacks are becoming increasingly targeted. Earlier this year approximately 30 companies became the victim of a browser-delivered web exploit specifically targeting sensitive data. The attack, commonly referred to as Aurora, was designed to evade traditional anti-virus and web reputation defences to gain access to company assets and sensitive information.
There is no doubt that insurance numbers, banking details, medical records, claims submissions, and any other information deemed non-public, needs to be protected from accidental loss or malicious intent. The Payment Card Industry Data Security Standard (PCI DSS), the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX) all exist to protect an individual's data, and Data Loss Prevention (DLP) can help with the task of ensuring regulatory compliance.
Up-to-date legislation such as this, and new policies in various countries changing data breach notification requirements, are no doubt positive steps toward stronger data security. In addition to adhering to legislation, businesses need to adopt a holistic DLP strategy that includes policy, education and technology.
For example, adopting both policy and educational programs help remedy broken or risky business processes. Penalties for data loss can be huge; fines, lawsuits, lost customers can also generate negative PR. So it's vital your users understand how to secure your data. Further, facilitating employee training can help educate employees on the established policies and enhance general security practice overall.
Also, technology-based approaches like encryption and IDAM and DLP technology, combined with policy and educational programming, greatly reduces data loss across an organisation.
Based on real-world deployments, it's estimated that an organisation that employs technology and training can reduce the volume of data loss by 50 percent or more just by issuing notifications. If a manager learns that their employee is leaking data, you'll see about a 10 percent reduction in incidents. If you inform the employee directly that he or she is responsible for leaking data, you'll see a 50 percent reduction.
False starts and common mistakes
DLP has been defined as products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use through deep content analysis. A comprehensive DLP plan doesn't mean boiling the ocean or creating policies that impair daily business processes. The most successful implementations are often the result of a phased approach, incorporating best practices and control measures.
Many believe that data classification is the first step in DLP and a step which (mistakenly) leads to literally all data being classified (even public information). This inevitably creates false positives and is not an improvement to the opposite end of the scale where nothing is classified which leads to false negatives.
The other mistake occurs when the classification is unclear and everything falls into a 'default' classification category as people can't decide what is important. Websense saw a real-life example of this at a financial organisation - by default everything containing the word 'confidential' was deemed too sensitive to leave the company. False positives arose because of the disclaimer on every company email, which included the word 'confidential.
What's the alternative? The answer is actually quite simple and lies in context combined with intelligent out-of-the-box policies within a comprehensive DLP strategy. The ability to accurately identify sensitive data, wherever it may be and wherever it is going, is key for any DLP solution.
Planning a comprehensive DLP strategy
When planning a comprehensive DLP strategy, the following practices can reduce the risks of malicious threats, save costs associated with data management and security, and help meet regulatory compliance:
1. Identify, monitor and protect
It's important to identify what data is confidential, monitor where the information is going, and then implement protection controls to ensure it is only going to the proper individuals. This crucial step provides a better understanding of an organisation's business processes, and therefore enables them to develop sound data security policies to protect data.
2. Web and email content control
Organisations must implement a technology solution that can inspect and control content over the web and email, their two primary communication channels. Data loss via the web is four times more likely than email. When you email, you're mostly emailing your peers at work. When you're dealing with the web, every transaction or communication is outside your organisation.
For a security or IT team to be efficient and successful at protecting against these types of data loss, it's also important to look for ways to consolidate monitoring protocols and have a single inspection gateway. Web security gateways and email security solutions need to be strongly integrated with data loss prevention technologies and policies to be effective, deliver consolidation, and prevent the loss of data through these channels.
3. Understand the laws and regulations
It's important to understand the data laws and regulations not just where your business resides, but where it operates. This is critical since operating in a specific country or state may subject an organisation to its laws, even if there is no office present. It is important to be cognisant about the content in use and the context, and consider the capacity of the solution deployed to create this awareness and enforce sensitive data policies.
For example, when your DLP solution identifies an incident over a web channel, does it report where the data was sent? If you do not receive this context, you run the risk of missing the details necessary to effectively and efficiently address the problem. A solution that gives you the full picture of an incident saves both time and resources when determining steps for remediation.
Where does DLP go from here?
Through proper employee education, understanding of where your sensitive data moves within your organisation - and through what channels - combined with proper processes and technology in place to safeguard, organisations can increase the security within their organisation and meet the regulatory requirements for all the areas and regions in which the company does business.
Comprehensive data security is multi-faceted, addresses the entire flow of data, and must consider various factors requiring simple and unified management. With a proactive approach to intelligently identify, manage, monitor and secure data, implementing DLP technology can mitigate the risk and simplify the task of ensuring regulatory compliance.
As the sophistication of threats increases, so too should the technology that protects the data that the cybercriminals are trying so hard to steal. The future of DLP technology is unified content security: a solution which can intelligently identify, manage, monitor and secure data using integrated web, email, and data security technologies to provide the best security for modern threats.
Adam Bradley is the ANZ country manager at Websense.