With hacks and data breaches continuing to hit the news headlines, businesses should be more aware than ever before about the risks and threats posed to their data. However, data loss prevention often seems a daunting, onerous and costly task causing many businesses to overlook key aspects of their data protection strategy, leaving them vulnerable to attack.
We spoke to Steve Smith, MD of security consultancy Pentura, on the subject of how businesses can better protect their data, and the help that's available to them in the ongoing battle to keep their data out of the hands of criminals.
TechRadar Pro: Has the scope for DLP increased over the last 20 years?
Steve Smith: It's interesting that in the early 90s, a time when few had heard of the internet, email or even used a personal computer, a National Security Agency (NSA) official wrote a memo expressing concerns about how internal staff could be a security risk to the organisation. The memo read: "It seems amazing that so few are allowed access to so much information – apparently with little or no supervision or security audits."
23 years later this risk was realised when Edward Snowden disclosed top secret documents to the press, which then went viral. Has the type or extent of data the NSA maintains changed much in that time? Probably not. What has changed is how that data is stored. 20 years ago it would have been kept under lock and key whereas now it is predominantly stored digitally.
The shift to digital has presented people with multiple ways to obtain sensitive data – hacks, memory sticks, pictures captured by smartphone, the list goes on and on. 20 years ago there was one way and one way only to obtain that data – physically remove it from a building, past security, through various checks and so forth.
As businesses and organisations incorporate an ever growing number of solutions, platforms and applications into their IT operations, it goes without saying that the scope for data loss, and its prevention, rises in tandem. At a very basic level, by simply looking at the increasing number of entry points to data for staff and third parties, and the number of ways in which it can be removed from an organisation, you can see that the scope for DLP has drastically increased over the past 20 years.
TRP: What considerations do businesses need to pay to DLP?
SS: First, the information stored on an organisation's servers and employees' PCs needs to be audited and classified according to its sensitivity and confidentiality. Then the firm needs to evaluate its exposure to risk, and establish exactly what's at stake should sensitive data leak. Finally, having taken these steps, the business needs to consider the measures needed to counter and manage those risks, in terms of employee training, establishing new policies, controlling access to material and protecting data by encryption or other means.
Not all of the steps described have to be taken at once. In fact, many organisations may not need to implement more than a couple of these steps to protect themselves against major risks of data loss.
TRP: How would you recommend businesses initially tackle DLP?
SS: DLP implementation is often seen as complex and fraught with challenges, involving a series of in-depth investigative processes. However, a business can simplify the process by breaking its strategy implementation down into steps.
The most effective data loss prevention strategy is to approach it in bite-sized portions. This starts with identifying what data the business stores, establishing where it is stored, who has access to it, and putting in place systems and policies to ensure it is protected.