A recent article claimed an average document can be replicated 30 to 40 times, with copies stored each time it's sent around, significantly increasing opportunities for loss of customer records, financial or proprietary data.

The risk isn't just to reputation or competitive advantage: commercial espionage is a growing concern. In autumn 2013 the director general of MI5 and director of GCHQ urged all FTSE 350 companies to take part in a 'cyber security health check', following a survey which claimed every organisation is 'leaking' information online.

Mobile working and BYOD increase these risks. It's been much easier to enable mobile working than to understand and manage its security implications.

Data Loss Prevention

Data Loss Prevention (DLP) enables organisations to maintain a network-wide inventory of data and provides visibility of data movement over the network and on mobile devices and removable media. It needs to be implemented at a strategic level to be effective – simply adding DLP tools to a network is not enough.

Solutions need to be based on the context in which data is accessed. Consider someone using their own tablet to check corporate email, then downloading an attachment as a PDF to read later. It throws up multiple challenges, from how to ensure only trusted tablets connect to the corporate network to what happens if the device is stolen or lost.

What if the user downloaded a classified document (e.g. marked Internal Use Only) - how can you provide tablet users with secure copies which can't be distributed or copied?

To avoid sleepless nights, the IT team need to develop and implement a DLP policy appropriate for their organisation, educate users on how it works, and ensure everyone in the organisation commits to it.

As with all security offerings, DLP tools enforce the policies you define, and the real skill in deployment and configuration is to correctly define what you need to happen.

DLP Requirements

DLP requirements broadly fall into two categories. Data in motion, or network DLP, deals with data transferred over the corporate network, including to the Internet or other private networks using applications such as web mail, FTP file transfer or online storage. Data at rest deals with data hosted on severs or storage platforms.

At the Internet border the DLP solution ideally integrates with existing firewall and content inspection solutions. There are integrated DLP solutions which provide firewall, content inspection and DLP functionality in one box.

However, in our experience they tend to have limited features, and don't offer the flexibility and granular configuration options of dedicated solutions.

Typically the problems I see occur where users are allowed to store data on their own machines. Data owners should be given responsibility for ensuring data is consolidated in a central network location.

The exact solution you choose will depend on the needs of your business. What's important is to consider the risks, explain them to your Board and get their commitment to address the issue in an appropriate way.

Once they understand the issues and risks they are facing I believe they will quickly see that time and resources spent implementing a DLP solution is time well spent.

  • Richard Blanford founded Fordway in 1991 and has built it into one of the UK's most respected IT infrastructure change providers. An ex-technician, his 20+ years' experience enable him to prioritise business-critical problems and offer constructive, vendor independent advice.