How to prevent data loss

Within the past few years, data loss prevention (DLP) has become a hot buzzword, as vendors of various persuasions rush to address - or take credit for addressing - the massive issue of data breaches.

With five of the 10 largest data breaches in history in the past year (1), data loss was clearly the biggest security issue in 2007. Because it involves the organisation's critical information assets, data loss is not just an IT problem, it is a business issue and a top priority for corporate executives and boards. In fact, it's clear to see why corporate executives in boardrooms around the globe are asking: “What can we do to prevent this from happening to us?”

The answer to that question lies in understanding the true nature and value of DLP as a solution - that involves not just technology, but also people and process - and why it's such a critical component to protecting and controlling an organisation's most sensitive data.

Data Loss Prevention (DLP) is the combination of people, processes and technology focused on preventing confidential information or other sensitive data from leaving an organisation. Whether it is personally identifiable information (PII) such as customer or employee records, proprietary corporate data such as financial statements or marketing plans, or intellectual property (IP) like product plans or source code, confidential data represents a valuable asset that must be carefully managed and protected.

While data breaches are very costly in financial terms, they also come at a price to the business's reputation and customer confidence. According to a recent IT Policy Compliance Group report, business losses can be significant if the breach is reported. Benchmarks show businesses experiencing a publicly reported data loss expect to see an 8% decline in customers and revenue, an 8% decline in the price per share for publicly traded firms, and additional expenses averaging $100 per lost customer record for firms that publicly disclose data losses and thefts.

There are four categories that cover ways that data can become breached:

* Accidental exposure: Information leaked via error
* Dishonest insider: Abuse of employee privileges
* Stolen computer: Employee reporting computer missing
* Hacking: Gaining unauthorised access

Just as DLP is not simply a technological solution, protecting information is not just an IT concern. In fact, it's very likely that IT may not always know what information is confidential and what is not. Preventing the loss of data is a business problem, and it requires a business solution. Consequently, before implementing technology to prevent data loss, key stakeholders and business unit managers must first come together to identify the data that most needs to be protected.

“Because DLP isn't an exclusively IT-driven discipline, it requires cross-team support and alignment from a variety of others, including facilities, compliance representatives from legal, enterprise risk managers, HR, marketing, and sales,” said Sean Glansbeek, MD of Seven Days Technologies.

“What does it take to get attention for DLP initiatives in today's enterprise? In most cases, it means making a compelling business case - and getting the right information to the right people in the right language.”

Here are a few key steps that will likely help:

* Choose your words wisely. Speak in terms of business advantages. Rather than talking about the threat of misuse or a malicious attack, consider simulating the impact of a potential incident in terms of consequent business loss.
* Use headlines to your benefit. Most business leaders dread the thought of the "orange jumpsuit retirement programme". There's a steady stream of privacy and data leakage issues that will continue to make the headlines. Make use of these "public hangings" to illustrate the real risks and move away from the incident probability statistic deadlock.
* Establish your milestones. Before seeking cross-team support, establish three milestones you expect to meet and explain in business terms how these milestones will provide returns to both IT and the business.

To be clear, the identification process does not mean classifying every piece of information that comes into, goes out of, or is stored within the organisation. To the contrary, it means identifying the few types of information which loss would result in the greatest negative impact for the company.

This is the information to which DLP will be applied first. For some organisations, this might be source code, product designs, and similar intellectual property. For others, it might be customer information or financial data.

A number of DLP solutions include a risk assessment component in which network activity is monitored for a two- or three-day period. A report is then provided that shows the organisation what data is going out through the network as well through each department, and how often it is going out. This report can be invaluable in helping companies determine what kinds of data are most at risk and which departments are creating the greatest exposure.

Once an organisation has identified the actual data requiring protection, this information serves as the foundation of the company's data loss policy. The organisation can then design processes in order to monitor for data loss incidents and measure their progress in reducing risk over time. It is critical to be clear on who does what in the event of a breach, so that should a crisis occur, the right people are following the right processes to mitigate risk.

For example, IT security as well as the involved employees and their managers may need to be notified. If malicious behaviour is suspected, it may be necessary to bring in forensic and legal specialists. If a major breach occurs, public relations may play an important role. And business unit managers will want to be able to track their data loss risk over time.

Today's more comprehensive DLP solutions can be configured to monitor whether the company's most important data goes out through a certain gateway, off a particular endpoint, and more. Organisations can use the actual information they know is important to define the policy and then match it exactly.

The newest DLP solutions also employ intelligent incident response capabilities so organisations can automate policy enforcement with flexibility. The inclusion of analytics and workflow enables the system to calculate incident severity and automatically deliver the appropriate level of enforcement. Better yet, by offering templates based on industry best practices for incident response and remediation workflow, these solutions can significantly reduce configuration time for IT.

The effectiveness of even the best technology and processes can be undermined if employees do not understand the value of their company's information assets and their role in mitigating risk. With heightened awareness, however, employees can also become a company's strongest line of defence, and its most valuable security asset.

But how? Formal security awareness training programmes can certainly help, as can clear security policies. Yet perhaps the most effective education comes through intervention at the time of action. After all, many data breaches are the result of simple user error. People make mistakes. They forget. They misunderstand. But they can also correct themselves - if they know they erred.

A robust DLP solution makes it much easier for users to not only know corporate data loss policy, but also to follow it. By providing various levels of real-time response, from remediation to notification and prevention, DLP provides on-the-spot correction. The cumulative impact of such automated efforts can be significant. In fact, one Fortune 100 company observed a 90% drop in data loss incidents just 10 days after enabling the automated user notification capabilities within its DLP solution.

Clearly, in today's wide-open world, CSOs and CIOs in businesses of all sizes are committing to protecting their data, regardless of where it is sent, stored, or used. With the help of DLP solutions that leverage people, processes, and technology, businesses can not only gain insight into where their data is, who is using it, and where it is going, but they can also effectively manage and control information risk exposure now and in the future.