How often do you think the average document is replicated and stored as it’s sent around an organisation? Every time this happens, it increase the opportunity for loss of any sensitive data, from financial data to customer records. And of course mobile working and BYOD increase the risk of data loss, as staff connect various devices to the corporate network to look at email and read and/or download corporate documents.
Data Loss Prevention (DLP) enables companies to maintain a network-wide inventory of data and have visibility of data movement both over the network and on mobile devices and removable media. However, simply adding DLP tools to a network is not enough. Organisations need to develop a DLP strategy before they start thinking about technology solutions.
First, the organisation needs define its DLP policy, including which devices can be used to connect to the corporate network and the use of mobile storage devices. Secondly, the entire organisation must commit to the DLP policy. Too often we see that the implementation and management of DLP (and information security in general) is being left to the IT department. So DLP needs board level commitment before implementation, executive sponsorship during implementation, and user education to ensure that users understand what they need to do and the penalties for policy violations.
User education is particularly important. For example, one of the key controls that may be used to protect data on laptops or PCs is to disable the use of USB or other mobile storage devices. This usually proves to be an unpopular decision and so user education and awareness training needs to form an important part of implementing this control.
It’s also important to have commitment from the various data owners, who should be responsible for managing and keeping their data safe once the solutions been implemented. They can use the DLP tools to define granular and specific policy and reporting requirements appropriate to their needs.
For example, the Engineering department will share data very differently from the way Finance or Marketing would do. Engineering will often share specific data with component manufacturers or subcontractors, while Finance may share data with investors, auditors or external accountants. The requirements of each department will be unique and often dynamic as well. For example, data may only need to be shared once and perhaps at very short notice, requiring a flexible solution. This makes it important that the chosen DLP solution can be used by data owners, otherwise users will either push this back to the IT department or attempt to circumvent the DLP controls.
Walter Rogowski, Network Consultant, Fordway
Walter is a network consultant and project manager with a specific focus on security. In his 12 years at Fordway he has designed and implemented secure data communications, firewalls and intrusion detection systems and worked on security penetration testing for a wide range of organisations, including leading technology companies, councils and universities. Prior to joining Fordway Walter worked in the City of London providing and supporting secure LAN and WAN installations and access solutions. He has a degree from the University of South Africa.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.