Developing a Data Loss Prevention Strategy
by Scott M. Lewis
In some cases of company data loss, the company has no idea that it happened, where the data went or who took it. OK, this is true for most cases of company data loss, not just some. More often than not, in either scenario, there was no data loss prevention strategy in place within the organization.
There is a lot to consider when putting together a data loss prevention (DLP) strategy. The bigger the company, the bigger the problem and the harder it is to solve, but do not fool yourself into thinking it will not happen to you.
The basis for a DLP strategy is to prevent users from sending sensitive or critical information to a location outside the corporate network. However, in a comprehensive strategy, network administrators also use software to control what data users can transfer both internally and externally and to control the movement of data to unsecure removable media or other devices.
Software is a big part of a data loss prevention strategy. This type of software allows the company to set business rules on how it classifies and protects confidential information beyond the typical Microsoft permissions, preventing accidental sharing by unauthorized users. A word of caution though: There is an ongoing struggle between convenience, budget and security, and these things often come into conflict when you add another layer of security to your network.
Corporations need our people to be productive, but we also have to understand the human factor of who we are and that people do copy information about our customers, vendors and suppliers off our networks and take that information with them to their next jobs.
A DLP strategy is something you can step into, allowing a culture of security to take hold within your organization over a long period. Therefore, the process of implementing a DLP strategy is something to really think about and plan.
You may be asking yourself the following:
• Do I really need a data loss prevention strategy?
• How big of a problem is this?
• Is it really worth my time and investment?
According to the Verizon Data Breach Investigation Report in 2017, 60% of data breaches can be tracked back to employees, where financial gain was the motivation. In some cases this could be in the form of a new job offered by a competitor. Most of this data was in the form of trade secrets, sales projections and marketing plans. In some cases it was personal information of other employees. This type of information is extremely valuable to competitors and on the data black market.
The whole purpose of a DLP program is to protect your data from the biggest risk, which, unfortunately, is your own employees. According to a McAfee report, “Grand Theft Data,” internal users were responsible for 43% of data loss, media theft accounted for an additional 40% of theft and the most common data stolen (23%) were in the form of Microsoft Office file formats. The same study found that 64% of data security experts felt that a DLP strategy would have prevented the data loss.
Don’t forget about your mobile devices as part of your DLP strategy. Regardless of your choice to use an Apple or Android product, make sure that you take the time to secure your device and that you have the ability to remotely wipe the device in the event it is lost or stolen. Make sure you have properly configured your privacy settings because there are a number of new apps with the ability to sync data, track locations, and give push notifications and location information. All of these features are great for the average teenager, but in the business world these are not so great.
Also make sure you are backing up your mobile devices regularly, disable Bluetooth when you are not using it and turn off Wi-Fi unless you are connecting to a Wi-Fi system you know is secure. Otherwise you should use your cell provider’s network, as it is much more secure than Wi-Fi.
Corporate data is always a huge target for employees, competitors and of course the data black market. When it comes to planning your DLP strategy, consider data prioritization. Not all data has the same value, so you have to take a very objective look at the data and decide what would have the biggest impact if it were stolen or made public. Also consider whether you would know if your data was actually at risk and by whom.
Data risks can be reduced with:
• Archiving data properly.
• Limiting the rights, such as the ability to change or modify files and in some cases to copy or move the files.
• Adding another layer of encryption.
However, data is most vulnerable when it is on the move, which could be via email, removable media or print or between endpoints, which might be remote workspace or offices.
There are some misconceptions about DLP strategies, such as the belief that it can cause latency on the network. Most DLP software manages both endpoints for data on the move. The tags used to control the data movement are quick and easy to read by the software at both ends.
Another misconception is that DLP programs will not work outside your network. In some cases, a DLP program will stop data from sending out of your network. Depending on how you configure your DLP program, the controls can be placed at the data level, not the device level, so it will work both internally and externally.
There is also a common misconception that DLP programs will hurt productivity. New versions of DLP software place the controls at a data level, where users who are following corporate policies and procedures see no impact from an operations perspective.
Scott Lewis is the president and CEO of Winning Technologies Group of Companies. Scott has more than 30 years of experience in the technology industry and is a nationally recognized speaker and author on technology subjects. He has worked with businesses to empower them to use technology to improve work processes, increase productivity and reduce costs. He has designed thousands of systems for large, medium and small companies, and Winning Technologies’ goal is to work with companies on the selection, implementation, management and support of technology resources. For more information, visit www.winningtech.com or call 877-379-8279.