It's no secret that security breaches are on the rise, and business security defences are under scrutiny as a result, with many seemingly unprepared organisations out there (last year, an Ernst and Young report highlighted the deficit in IT security with only 4% of the 1,900 executives interviewed reporting that they had sufficient cyber-security defence measures in place).
As a result, more than ever, governments and businesses are being fined for data breaches which could and should have been avoided. But what steps can IT managers take within businesses or departments to ensure their data is protected, and how can they convince the board that each solution is worth the investment?
Businesses today are turning to Data Loss Prevention (DLP) solutions to protect business critical data for a variety of reasons, but all with three common objectives: to increase productivity, assert control over data, and facilitate cost savings. DLP is now undoubtedly a necessary and business critical part of a modern company's IT infrastructure.
This article will offer some insight into several aspects of DLP solutions starting with some common misconceptions, an overview of the different types of DLP processes, and of the business benefits gained from deployments.
An outdated approach
For many years the information security market focused on protecting an organisation's network from the internet. The assumption being that all incoming traffic from the internet is potentially dangerous and needs scanning. However, a contrasting approach was applied to outgoing data which was usually left untracked. Companies believed they could protect themselves from incoming threats and therefore none of the outgoing data was at risk unless there was information proving otherwise.
This presents a large problem as if one attack is successful it could spread throughout the network targeting critical data. As the major point of hacking is to steal information, it still has to leave the network which is when it can be detected. Critically a DLP solution can expose sensitive data in transit, in use and in rest.
For example, if there is an attacker who has breached the network and he is sending a file out, his programs likely use a different encryption method to the server standard. By tracking the encrypted data its destination can be discovered which allows a company to determine the appropriate response i.e. legal proceedings.
Demands business input
DLP solutions are deeply entwined with the business process and therefore need business engagement. Any legacy issues with DLP were due to a lack of data education and strategy. When DLP was originally developed, people thought that it could be treated like Intrusion Detection Systems (IDS) and be given to the IT teams as a data loss solution. However, due to the nature of DLP, it requires business input to determine what data is critical.
New hybrid approaches, where both the business and the security teams work on the DLP system, have led to some very successful implementations. As a result, organisations can rectify security issues by providing the business visibility to information that leaves the organisation as well as creating a greater awareness of some of the bad business processes operating within the company.
DLP solutions provide greater visibility; this has not always been a desirable quality in business. In the past there was an attitude – especially in some smaller companies – that if you weren't looking for a breach then you couldn't discover one, and therefore you wouldn't have a legal obligation to report it or suffer legal repercussions as you could not have known.
This is becoming increasingly unacceptable as an attitude, and the costs of a hacking scandal are far greater than just the fear of being fined. Take for instance the Qinetiq scandal, where it was revealed that there had been a leak on the Qinetiq server for three years and some of the firm's intellectual property was stolen. This not only cost them revenue, as some of their competitors obtained their blueprints and were able to produce equivalent technology, but also inflicted reputational damage as well.