TRP: In a standard business who typically has access to data?
SS: The most obvious answer to this is any employee with data access levels increasing according to seniority in the business. However, data access isn't limited to employees, IT departments and the boardroom.
Too often ex-employees retain access to data with research suggesting that more than a third of former employees still have access to company data and/or systems after they have left an organisation. Nearly 10% of employees polled admitted they had used their access/data rights after they had left an employer.
In addition to this third party suppliers and partners may have some access to data or even be responsible for securely storing it in the first place.
An effective DLP strategy should not only cover the types of data and where it is stored, but also who has permission to access it from new joiners to contractors, third party suppliers and those who may have left the company.
TRP: Why does DLP continue to cause businesses problems?
SS: DLP is a huge task and too often businesses try to tackle it as one singular issue that has a single resolution when actually it is made up of many smaller components. Businesses that acknowledge this and tackle each component of DLP in a step-by-step manner, implementing the correct protection for each element, have far fewer problems tackling DLP and are far more successful at reducing their scope for data losses.
TRP: What are the most common reasons for businesses suffering data losses?
SS: Data losses most commonly occur for one of two reasons. Firstly a business will have treated DLP as a one-off check box rather than an ongoing process. Secondly, a business might have tackled DLP as a single issue with a simple solution. Both of these reasons increase the likelihood of something being overlooked, or forgotten, leaving a vulnerability in the overall strategy to be exploited.
It is important that DLP policies are continually reviewed and measures put in place to secure each individual aspect of the overall data protection strategy.
TRP: What steps can business take to give their data maximum protection?
SS: The first step is to discover what type of information the company holds, and what the consequences would be if different types of files and documents were to get into the wrong hands. This classification of data will help businesses to understand what their true risk of a breach is.
The risk may be fairly low if a company doesn't hold sensitive data other than that of their employees and, as a result, the need for a security solution may also be low. In contrast, many organisations do carry information about clients and partners, as well as intellectual property which is highly sensitive, in which case solutions such as encryption and identity and access management may need to be deployed.
The next step is to monitor how data is being accessed and how information flows around the business. Does remote working form part of business practice? Is confidential data put onto USB sticks, emailed, or posted to personal cloud storage accounts? The answer will inevitably be yes, as businesses cannot function without sharing information; but just how sensitive is this data? Are your employees walking around with confidential data without any form of protection or even your knowledge of doing so?
Auditing how data is used in an organisation is challenging, so it's often useful for businesses to work with an external consultancy to help with monitoring the data flows across their networks, and to recommend how data policies and procedures can be set up and managed to maintain security and enforce good practice.
TRP: What DLP assistance is available to a business?
SS: The UK government has launched the Cyber Essentials Scheme which is managed and reviewed by regulator CREST. The scheme is part of the government's National Cyber Security Strategy and provides an independent assessment of the essential security controls that organisations need to have in place to mitigate risks from internet-borne threats. This includes internet connected end-user devices such as desktop PCs, laptops, tablets and smartphones, and internet connected systems including email, web and application servers.
There are also a wide range of technical solutions, including both hardware and software, available. In addition to this consultancies such as ourselves can provide staff training, audits and testing of DLP strategies to help businesses enhance protection and reduce vulnerabilities.
About Steve Smith
Steve is Managing Director and owner of security consultancy Pentura, and has been since 2003.
