In the early 90s, a National Security Agency (NSA) official wrote a memo expressing concerns about how internal IT staff could be a security risk to the organisation – a risk that was realised 23 years later by NSA contractor, Edward Snowden who disclosed top secret documents to the press, which then went viral.
“It seems amazing that so few are allowed access to so much information – apparently with little or no supervision or security audits,” the official wrote, in a time when few had heard of the internet, email or had even used a PC.
Not every business harbours such a large volume of highly confidential information, but a majority have business-critical and sensitive data, whether it’s intellectual property, financial information or employee records. How many would want this type of information to get into the wrong hands?
The consequences of data leaks can be catastrophic in terms of damage to reputation, as well as financial losses, such as imposed fines and lost revenues. It’s estimated that each record leaked can cost around £80 to the business responsible; multiply that by tens of thousands of compromised records and the figure is daunting.
DLP deliberations
So how should organisations protect their data and themselves against the risks of damaging data leaks and losses – whether accidental, or malicious? The solution is data loss prevention (DLP). However, many businesses have avoided deploying DLP solutions to prevent data loss, because implementation is often seen as complex and fraught with challenges, involving a series of in-depth processes.
First, the information stored on an organisation’s servers and employees’ PCs needs to be audited and classified according to its sensitivity and confidentiality. Then the firm needs to evaluate its exposure to risk, and establish exactly what’s at stake should sensitive data leak. Finally, the business needs to consider the measures needed to counter and manage those risks, in terms of employee training, establishing new policies, controlling access to material and protecting data by encryption or other means.
While at first glance these tasks may seem onerous, not all of the steps described have to be taken at once. In fact, many organisations may not need to implement more than a couple of these steps to protect themselves against major risks of data loss.
One piece at a time
The most effective data loss prevention strategy is to approach it in bite-sized portions. The first step is to discover what type of information the company holds, and the potential consequences if that information were to fall into the wrong hands. This classification of data helps businesses to understand what their true risk of a breach is. The risk may be fairly low if a company doesn’t hold sensitive data and, as a result, the need for a security solution may also be low.
In contrast, many organisations do carry information about clients and partners, as well as intellectual property which is highly sensitive, in which case solutions such as encryption and identity and access management may need to be deployed.
Who’s using your data?
The next step is to monitor how data is being accessed and how information flows around the business. Does remote working form part of business practice? Is confidential data put onto USBs, emailed, or posted to personal Cloud storage accounts? How sensitive is this data? Are your employees walking around with confidential data without any form of protection or even your knowledge of doing so?
Auditing how data is used in an organisation is challenging, so it’s often useful for businesses to work with an external consultancy to help with monitoring the data flows across their networks, and to recommend how data policies and procedures can be set up and managed to maintain security and enforce good practice.
Using people power
It’s also important that staff know what the do’s and don’ts are when it comes to sharing information. E-learning resources on data security issues – from use of removable media, appropriate use of email and social media applications, to phishing awareness – are available to help you harness one of the most effective solutions available to organisations: security-savvy staff.
While times have changed, and we all have access to computing power that was unimaginable back in 1991 when that NSA agent wrote his original report, the threat of data losses and breaches remains and is stronger than ever. But with a stepwise approach to DLP, protecting your information assets need not be onerous.