Five Steps to Better Data Loss Prevention

Data Loss Prevention (DLP) protects companies against the loss of sensitive data. In the world of data, everything has increased. IT and cloud based software and apps, cyberattacks and increased mobile usage of employees are just some of the ways that confidential data can escape from a company. A relevant and working DLP strategy is key to preventing this from happening, or managing it in the most effective way possible, so we’ve put together five steps to better protect data.

Protect data in all locations

We mentioned mobility because it is one of the areas that even a great DLP strategy can completely fall over on. While a company might have fantastic Data Loss Prevention within its corporate LAN, this no longer serves as a contained endpoint for data loss. With mobile and cloud-based software usage at its current rates, data needs to be protected wherever it is. Additionally, look at finding an offsite server to backup your company’s data in case of an emergency breach through a natural disaster, crash or cyberattack. Having your data held in more than one physical location serves as an additional protection mechanism.

Prioritize the important stuff

DLP’s main role is the protection of sensitive data. There has to be a balance in companies between allowing file sharing to go relatively unhindered in order to boost productivity, and creating systems that prevent those files from being lost. This is generally done by choosing which of those files would be most detrimental to lose, for instance, intellectual property or financial records. This gives you somewhere to start and means that a DLP system won’t lower productivity for files whose public release would not be at all catastrophic.

Get to know your data

Monitor and track the regular movement of your data. This is particularly useful for picking up when there are internal threats in general, but mainly it makes it clearly visible where your sensitive data is going, and what threats it might face along the way. Doing this ensures that you are across what is happening with your data, and therefore will be able to ensure that the DLP strategy you apply will work for your company.

Ongoing help

Realize that a plan to prevent data loss is not a one-off investment of money, time and resource. Data loss involves, people, IT, and the web, all of which are constantly changing. Your DLP plan needs to constantly change and mature also. Engage with security solutions specialists to amend and rework all parts of the strategy, and then look internally to ensure that staff are receiving the guidance that they need – and that the strategy actually works for them and the way the work.

Incremental change

Much like the strategy itself, which constantly needs to rework and change, so too will your employees as they will be integral to ensuring the strategy’s success. Running a pilot that protects only the most sensitive data is a way to safeguard yourself against purchasing an incredibly comprehensive DLP strategy that doesn’t operate quite in the way it should. It’s only by testing it out in an incremental way, monitoring the data movement, as well as how employees are using the policies, systems and plans, that you’ll be able to ascertain whether that system is right for the business.

IT security no longer lies just with anti-malware or virus software. The significant advances in IT have brought with them substantial amounts of information and knowledge sharing through data. While this has seen a momentous boost in productivity, knowledge, and ideas for many companies, it has also increased the risk of important information getting into the wrong hands. Data Loss Prevention is an essential part of any company’s security policy and, with these five steps, you will be able to achieve a strategy and a plan that works for your company.

Data Loss Disasters: Are You Covered In An Emergency?

data loss preventionThe dreaded crash, the blue screen, or the security breach, brings on a familiar feeling of terror to every computer user. For small to medium sized businesses who are increasingly relying on software and cloud-based solutions to boost their company’s productivity, the stakes are much higher when this happens. The issue with the increase in IT solutions is that this also needs to be coupled with an increase in data security, particularly in the case of an emergency, and this doesn’t seem to be happening with SMBs. According to The National Archives & Records Administration in Washington, 43% of companies with no data recovery and business continuity plan actually go out of business following a major data loss.

While this covers all data loss, and not just internal threats such as accidental or malicious leaking, it is still a startling figure and one that can be easily addressed with a Data Loss Prevention (DLP) strategy. Any good plan should always incorporate an emergency scenario and that is what we will be discussing today, how to cover yourself in a data loss emergency.

Clear communication
This should be one of the most important features of any emergency response plan. When things go wrong people panic, people try to cover up and people inevitably do not take the most rational and responsible course of action. By ensuring that your emergency DLP plan is simple and succinct, and is clearly communicated to all staff in a way that they can easily action, you’ll help to ensure that employees take the right action.

Back it up
Knowing the risks is the first step to appreciating just how important data backup is. There are the ‘real life’ physical threats such as vandalism, fires and floods, and even power surges which affect thousands of computers every year. Then, of course, there are the not so physical threats such as cyberattacks and ransomware. With so many ways for an emergency data loss to occur, backing up files is crucial to prevent data loss in these situations, and always the easiest solution if it does occur.

Backup again. And again
Automate the backup to ensure that nothing goes to chance and that it occurs on a regular basis. Then find a separate server in an off-site location that will prevent data loss if your entire internal system is compromised. Again, it’s always easier to be able to recover the data from a backup, than from a crash.

Decent security
Your emergency response plan should employ or align with security professionals, largely to prevent the ever-present threat of cyberattack. Security professionals will be able to continually change multi-layer encryption and changing algorithms as part of their prevention plan, but they will also need to constantly update and review the emergency routine as part of this.

Given that most of us have experienced a computer crash in our lifetimes, we all know that emergencies happen. With the increasing threat of cyberattack, these emergencies are now much more widespread than ever before. By treating emergency data loss like it’s a reality, you’ll be able to create an environment where data is sufficiently backed up, and where an emergency response plan is as up to date and impenetrable as possible, and clearly communicated to staff so that it actually works.

Mobility and Security: What You Need to Know

The increase in mobile usage for work-purposes is a mutually beneficial development for businesses. It allows employees more flexibility and agility, both professionally and personally. And, in turn, this results in companies being able to reach their strategic goals in an effective way. The problem that businesses are facing with this increase in mobility, is that it inevitably means an increase in endpoints that a Data Loss Prevention (DLP) system has to cover. With roughly 90% of Americans now owning cellphones, many of which are brought into the workplace and even used for work in companies with BYOD (bring your own device) policies, it is essential to know what you should be doing to keep your files secure.

The risk
The risk is, of course, that increase in endpoints from mobile devices, wireless networks, and other mobile and cloud computing services. This creates an environment with no boundaries, unlike the in-office environment that DLP strategies generally cater for.

What exists currently
Mobile policies for companies tend to vary wildly from organization to organization, meaning there are no standard guidelines to follow. Many companies hope that their employees will follow their mobile policy when it comes to the sharing of confidential files on mobile. However, a policy is not a preventative strategy in the same way that a comprehensive DLP strategy is. It relies on a certain level of faith, and, given the level of work activity, and the level of access to work files, on mobile, this completely reduces the effectiveness of the entire DLP strategy.

What do companies do
Many companies avoid invasive software and protocols for mobile devices, often down to privacy issues, especially with BYOD workplaces, and device compatibility. Data Loss Prevention is normally not employed on mobile, so that comprehensive range of solutions for in-office, is not available for mobile in the same way.  Therefore, workplaces find themselves in a situation where employees can get around DLP protocols and send sensitive information to their phones and onto cloud sharing platforms at just the swipe of a button.

In some cases, employees are actually more likely to compromise confidential information by leaking or sharing it when they are out of the office, and therefore perceive themselves as less likely to be physically caught.

Some companies use Virtual Private Networks (VPNs) and Cloud Access Security Brokers (CASBs) to assist in reducing the risk, but there are major concerns with both. VPNs don’t have any control over interfaces that companies are increasingly starting to move towards such as Software as a Service (SaaS) apps like Salesforce, and Office 365. CASBs appear to get around this by allowing control over SaaS apps, however they offer very limited DLP capabilities, rendering them not a viable solution at all for most companies serious about DLP.

The solution
So, how do companies extend their security to the mobile arena? You don’t want to prohibit the easy sharing and transfer of content that enables your employees to work on the go, so generally it is best to place the focus specifically on prohibiting the transfer of the sensitive information you cannot have released:

  • Place a watermark on confidential content
  • Block screen captures and clipboard functions for sensitive information
  • Prevent download of sensitive files to mobile
  • Multi-factor authentication for apps
  • Log mobile activity and track suspicious circumstances

While DLP may not have the comprehensive architecture for mobile quite yet, that doesn’t mean it’s worth ignoring the risk. There are plenty of DLP solutions out there that can provide your organization with the focuses above and find a happy medium between complying with privacy guidelines and protecting your organization’s data.

5 Common Misconceptions About Data Loss Prevention Debunked

In an age where sensitive information lives in clouds and on endpoints, instead of behind lock and key, Data Loss Prevention has become big business. That infamous saying ‘at the click of a button’ now has to be a carefully monitored click to ensure that critical information isn’t shared with the outside world, either maliciously or by sheer human error. DLP can be a confusing area of the technology industry, not to be confused with its anti-virus counterparts, so we’re here to debunk some of the most common misconceptions people have around DLP:

The threat is from the outside
The ‘which is worse’ debate is hotly contested between inside vs outside threats, with the likes of Intel suggesting that internal actors were responsible for 43% of a company’s data loss, and half of this activity considered malicious, half accidental. Regardless of which statistical report you believe, internal threats make up a huge amount of a company’s data loss, particularly as internal threats have greater access to this data. They shouldn’t be ignored to focus on the, often perceived as more dangerous, outside threats.

Ready-to-wear solutions
Outside threats have held huge significance in our lives over the years – of any technological breach, outside threats are the ones that take up the most space in our news media, and what we absorb from the internet. Because of this, some company’s approach DLP from an ‘outside threat perspective.’ That is, they talk in the language of patches, firewalls and anti-malware. DLP needs a different approach because it is not a piece of software. The exciting thing about DLP is that it is an all-encompassing, working strategy fitted to your company, rather than an out-of-the-box, download it and hope it works software solution.

Call the IT department
Similar to our last point, there can be a misconception around who should be running a DLP strategy within a company. While DLP incorporates many technological elements to it, thinking that it should be an IT responsibility is along the same lines as treating DLP like it is simply software. To truly get the most out of a DLP strategy, it needs buy-in from all corners of the company. The threat is from the inside, therefore all those on the inside must be on-board with minimizing it, in order for it to work. How to do it? Delegate responsibility to its relevant skillset. Certainly pass over the specific technological aspects to the IT team, but also think of creative ways that leaders and communications specialists can communicate direction and action points to all staff.

Productivity grind
We have all experienced the dreaded words ‘new strategy’ at certain times in our career to be synonymous with ‘new admin’. It’s a common misconception that Data Loss Prevention will be time-consuming and add unnecessary frustration to a staff member’s already busy day. It’s crucial that we debunk this one as it is what will inevitably derail that buy-in from all staff members. DLP has been in the marketplace for a significant enough amount of time that its systems and protocols are fine-tuned and highly personalised. Professionals can look at a company and tailor a solution that’s convenient and efficient in requiring authorization only where it is needed. The key to this is, of course, how DLP strategy is implemented at the start. If policies clearly outline the levels of authorization, this clears up any risk of blanket rules applying across companies and slowing things down.

Too big to handle
For many small companies, DLP can seem overwhelming and the question is often raised as to whether it is really necessary for a small business to implement. The risk of data loss applies to all companies, big or small, so the question should be framed more around how sensitive the information is and how catastrophic it would be, should it be leaked. If the risk is high enough for either, then DLP shouldn’t be considered a solution that is too large for a small company. Because DLP is a series of policies and protocols, as well as the technological aspect, it can be applied incrementally. What is the area of a company that is most at risk? Set up DLP procedures around that data only and move on to the next important set of documents when you can.

While none of us want to believe that the employees who work for us, or alongside us, are capable of maliciously leaking sensitive data, the reality is that they are, as well as leaking it by accidental means. The Data Loss Protection marketplace looks to combat this with an holistic approach that involves more than just software and IT teams – it’s a company-wide program that, whose ownership firmly lies in the hands of the people who use it, not the technology itself.

6 Steps to Manage Data Loss Prevention When It’s Already Happened

Detecting and preventing the leakage of data outside of an organisation is the true objective of Data Loss Protection (DLP). Whether the data is lost by an internal source maliciously, or whether it was by accident, DLP is seriously big business in mitigating the risk of sensitive information leaking out. The nature of DLP, it’s a process or strategy more than just a piece of software, means that if there are breakdowns in the process, data may still be lost. Here are a few ways to make that data loss more manageable when it does happen when you have a DLP strategy in place

If you’ve invested in safeguarding your company from data loss but it has still occurred, there has been some kind of breakdown, either in the strategy itself, or in how it’s implemented. It can seem overwhelming after you’ve invested a great deal of money under the assumption that DLP would work, so try employing these tips to get back on track:

1. Investigate and identify

If you can figure out how the leak happened and at what stage of the process then you can use the following steps to immediately rectify that part of the DLP chain. If not, read on.

2. Get back to basics

Where does your data reside and where is it going? Has every possible option been considered? Don’t just concentrate on cloud and endpoint based options, also consider how your data can physically be transported out of your company – through photocopies, USBs, lost devices.

3. Work with your provider

Work with your DLP solution provider to come up with solutions for these options.

4. Consider the people

A successful DLP strategy is one that involves people from all contributing parts of the company. Does part of the process need to be communicated in a creative way? Use a communications specialist. Get your management team on board to lead by example. Is it a process that is convenient and workable for all users, do they understand the guidelines? Ask for feedback and adjust.

5. Be at one with technology

Work with your provider to assess the technology you’re using, such as encryption enabling between third parties. Be sure to use the feedback from step four. For instance, are employees emailing documents to their personal email because remote access tools aren’t flexible enough for the way your business works?

6. Go forth and multiply

Be prepared to make multiple changes to your DLP strategy. It has to mold to your organization and, more importantly, the people in your organisation who don’t necessarily operate in the same way as your DLP technology does.

A loss in data having implemented a DLP strategy can be frustrating and time-consuming but it can be rectified and managed easily by implementing the above steps. It’s good to remember, also, that you should be relooking at these steps from time to time. As your business changes and grows, so too will your strategy.

Four Examples of Data-Loss Prevention Gone Wrong

It is not uncommon today to come across media headlines decrying the massive loss of data in a private company or government department. These data breaches have far-reaching consequences for both these organizations and their customers. Often, private information gets into the wrong hands and can end up hurting many people.

Not long ago, the primary concern of IT departments was to protect data from outside threats such as hackers and viruses. However, today, internal threats take up of much of these departments’ time and energy, mainly due to the proliferation of web-based applications. In addition, insider threats remain largely undetected because sensitive information comes in and leaves the company on a daily basis through emails, file transfers, webmail and social media.

Needless to say, any data loss can be a cause of significant problems to the company. Loss of sensitive information can wreak havoc to a company’s reputation and financial position due to the cost required to fix the mess. No wonder it is estimated that 70% of SMBs experience a significant data loss collapse within a year. Additionally, no company or organization is immune to data loss.

Let’s now take a look at some real life examples of data loss prevention gone wrong. Luckily, these companies detected data-breach incidents early enough to fix the mess before they suffered any major loss. However, all those who act when it is too late may not be as lucky. That’s why some companies never recover due to negative PR, legal fees, regulatory fines and loss of consumer confidence.

AMAG Pharmaceuticals

AMAG is a pharmaceutical company based in Boston that employs over 300 people. It is heavily regulated, as expected of any company dealing in health and pharmaceutical products. It lost data when an HR folder that had not synced correctly was moved in Google Drive. Consequently, all files on the folder disappeared, including many that did not belong to the person moving the folder. The employee ransacked the trash and recycle bins, but the data had already been lost. Fortunately, AMAG had a backup software that allowed them to restore all of the files. Without the backup software, AMAG would have been in serious trouble with the regulators.

Battle Bogle Hegarty

Bartle Bogle Hegarty (BBH) is a leading marketing agency based in London. It has over 1,000 employees and volunteers. It works with some of the biggest brands in the world. Their data-loss story was a result of someone trying to help by cleaning up a client’s folder. As a result, more than 1,000 folders and files were lost, even those that didn’t originally belong to the user. The “helpful employee” checked both the trash and recycle bins, but the data had already been lost. These examples show that although employees are critical to the success of your business, they also pose the biggest threat to the security and safety of your company. BBH used backup software to salvage what they could, but the metadata was already gone. Knowing where sensitive information is stored and who is accessing it is a fundamental component of any data-loss prevention (DLP) strategy.

Alzheimer’s Association

You may have heard of the Alzheimer’s Association and their great mission to eradicate this disease. With over 2,800 employees and volunteers, the charity is engaged in care, support and research to combat Alzheimer’s disease. The organization suffered massive data loss caused by a departing employee who deleted all his emails on his way out. It is unclear whether the employee was trying to be helpful or was erasing his digital footprint in the company, but his actions had dire consequences. Among the emails deleted were those that were part of a major fundraising drive. This would be a huge blow to any charity because it means loss of contact information and pledges made.

Ashley Madison

Ashley Madison, a leading infidelity and married dating site with over 40 million users, suffered arguably the biggest data breach ever recorded. Crucial personal information, such as credit card information, names and contact information, was exposed. This violation was primarily seen as an inside job.

What Your Company Doesn’t Know About Data Loss Prevention

DLP has been around long enough now that your business understands its importance.  Your business knows that not having a DLP plan can expose the company to a myriad of risks – many of which are catastrophic.  Taken a step further, you know that threats exist inside and outside the company and, therefore, DLP operates in both realms.  Armed with this knowledge, your business has successfully implemented a DLP strategy and has continued to experience growth with less risk of tragic loss.  And, if your business is like others, that is where DLP has stopped.  It is working- why change it, right?  What your business doesn’t know about DLP is that these initiatives are moldable and need to be revisited as your business changes.  Said differently, DLP is a complex system that must be retooled overtime so that it continues to benefit your company and doesn’t leave any components exposed.

What Happens when Your Business Changes but Your DLP Plan is Not Re-Adapted

DLP is designed to be dynamic.  It is often designed around business processes, which are specific to the company implementing the plan.   Your business is unique and doesn’t operate the exact same way as others.  Over time, your business will evolve and these processes will need to be rekindled.

Take the sales process as an example.  Today, many companies are using mobile apps as a way to drive sales when previous methods may have required face to face meetings or telephone conversations.  It is the same process – sales – that is being completed in different systems, but in a manner that is diametrically different.  If the underlying process is changing so dramatically, shouldn’t the DLP initiative that protects the process also change?  After all, what might have been an effective method in the old system might very well be an outdated method in the new system.

A world of outdated DLP leads to two primary risks:

  • There are gaps in protection that expose the company to unnecessary risk of loss.
  • The old DLP plan uses outdated methods that weigh down the new process and therefore make it less effective. Both of these risks are reason enough to make sure that your DLP plan is updated as there are changes to your business.

The Good News

DLP is a completely flexible system that is built to benefit your business. As a result, updating your DLP plan as your business changes doesn’t have to be a complex and costly exercise.  In fact, many of today’s best DLP initiatives are modular in nature meaning that they can be implemented in phases so that your company is not shocked with too much change in too little time1.  So, if your business process is changing in steps, then you are also able to implement changes to DLP in those same exact steps.  This may also correlate to better cost control as you can align changes in one system with another thereby reducing the rework or additional work.

Just remember that DLP doesn’t work like a Band-Aid.  In other words, you can’t just put DLP in place and then expect it to work across all of your different business processes just to rip it off one day and have everything be magically healed.  This is actually good news because as your business changes, you are already in a position to recognize support systems that may also need to be updated.  It is, therefore, natural to retool DLP and other supporting systems simultaneously as the process also undergoes changes so that your business is in a better position to recognize any new critical data that needs protected before there is risk of exposure when the new system is live.  Further, this allows other data flows to be modified that may support the changing process so that the entire network is updated and works cohesively.

DLP as a System

Similar to your company, DLP is a system of processes that work together to accomplish their tasks2.  As one system changes, so must others in order to prevent gaps in coverage that may leave data exposed to risk.  DLP doesn’t work in isolation and nor does your company.  As a result, it is important to align changes in your DLP plan with changes in your business processes so that they continue to work in tandem towards your common goals.

 

 

Citations:

1Fajer, Salo.  “Debunking the Common Myths of Data Loss Prevention (DLP).”  ITProPortal.  26 July 2016.  http://www.itproportal.com/2016/07/26/debunking-the-common-myths-of-data-loss-prevention-dlp/.

2Simon, Bryan.  “The Truth About DLP & SIEM:  It’s a Process Not a Product.”  Darkreading.  11 September 2015.  http://www.darkreading.com/analytics/the-truth-about-dlp-and-siem-its-a-process-not-a-product/a/d-id/1322101.

Breaking Five Common Myths in Data Loss Prevention

Data loss prevention (“DLP”) is an ever-growing development field. In that same light, the DLP of today is diametrically different than the DLP of yesterday. Let’s be real and admit that companies today are aware that DLP strategy is important, since today’s environment includes extremely high transferability of data across virtually an unlimited number of platforms and devices. While businesses a decade ago had the luxury of not worrying as much about DLP, their successors don’t get that same opportunity. A modern business knows proper DLP polices help prevent significant threats to the organization, sales pipeline and structure. Here are 5 DLP myths that need to be broken so DLP strategies can be implemented and can operate more effectively.

Myth # 1: DLP Requires a Vast Amount of Resources to Maintain

This myth is riddled in small and medium enterprises. Rightfully so, because there is a perception that DLP requires resources that may not fit everyone’s budget. To be fair, it is always important in the business world to weigh costs and benefits, and a DLP initiative shouldn’t be treated any differently. However, modern DLP systems don’t have to cost an arm and a leg to implement and to maintain. In fact, most modern DLP systems have been developed to be flexible and to cater toward a multitude of budgets with different goals in mind. Gone are the days where DLP was made from a cookie-cutter formula with a set cost and result1.

Myth # 2: There is a Significant Lead Time in DLP – by the Time it is Implemented, it is already Outdated

Historic DLP initiatives took time to implement. This often caused frustration, due to the danger that by the time the DLP process was fully operational, enough developments in the market would outdate the current system. Modern DLP works differently, however, in that the processes are more segmented and built to work individually and in unison. The result is that DLP systems can be implemented in timely phases that allow for the acceleration of the DLP strategy and the ability to cater the implementation based on real-time development1.

Myth # 3: DLP is One Person’s Problem, but Not Mine

Successful DLP is built around a company culture and strategy. As a result, DLP cannot be tossed off as one person’s problem instead of a company-wide problem. What this means is that today’s DLP initiatives need to be shared in the company. This is due to the proliferation of electronic data use across businesses—even the junior-most employee often has significant access to data that needs to be protected! As a result, today’s DLP must be built around a culture of training, learning and responsibility across all levels2.

Myth # 4: Once we Implement DLP, we can let it Ride to do its Work Without Monitoring

Wouldn’t it be great if this were the case? Unfortunately, it is not so. Though today’s DLP has evolved to the point where it can be left to many effective automated processes, there is still a degree to which monitoring and improvement are necessary. Said differently, a DLP strategy is a living system, similar to other business processes. Therefore, once a DLP system is implemented, there should be additional systems in place to continuously grow and work with the system so it is more effective over time. DLP systems are like gardens: They need to be maintained or there is risk of weed overgrowth3.

Myth # 5: Let’s Just Protect the Most Important Things and let the Rest be at Risk. The Other Stuff isn’t As Important, so who Cares if the Small Stuff Slides?

DLP systems do not work in a vacuum. It is often a trap that the fiscally concerned may consider—cut out some DLP concepts to save in the short term. To reiterate, DLP systems are not effective if there are weak spots all around. Actually, weakness in one area may lead to weaknesses elsewhere downstream. To be effective, DLP systems should be set up to work in unison without one area being a strong spot at the expense of another. Companies need to focus on making sure the whole DLP system operates effectively4.

DLP initiatives are important. Nevertheless, a number of myths still swim around in the market and can prevent a business from realizing its full DLP potential. Being on top of these myths is important and can add value to any business looking to further its DLP initiatives.

Citations:

1Fajer, Salo. “Debunking the Common Myths of Data Loss Prevention (DLP).” ITProPortal. 26 July 2016. http://www.itproportal.com/2016/07/26/debunking-the-common-myths-of-data-loss-prevention-dlp/.

2The Absolute Security Insider. “Posts with Tag: Data Loss Prevention.” Absolute. 22 June 2016. https://blogs.absolute.com/tag/data-loss-prevention/.

3IT Business Edge. “Data Loss Prevention: 5 Reasons You Need to Step up Your     Game.” http://www.itbusinessedge.com/slideshows/data-loss-prevention-5-reasons-you-need-to-step-up-your-game-07.html.

4Kolochenko, Ilia. “Five Most Common Myths About Web Security.” CSO. 3 May 2016. http://www.csoonline.com/article/3064681/application-development/five-most-common-myths-about-web-security.html.

2017 Developments in Data Loss Prevention

Do insiders pose the greatest threat to data loss in an organization?  Recent statistics indicate the answer is yes.  Actually, according to one study, over 90% of all cyberattacks were conducted by an insider1.  The overwhelming result is that companies must focus on preventing data loss by getting ahead of insider threats that may be due to both malicious intent and accidental occurrence.  Here are four developments for 2017 that you should focus on in conjunction with your overall insider data loss prevention (“DLP”) strategy.

  1. Detecting Data at Risk

Locating and prioritizing potential threats and data that is subject to those threats is a key concern for 2017 data loss prevention initiatives.  But before the threats can be acknowledged, the items at risk must be identified first.  Today’s companies will store many gigabytes of data across a large number of products and services.  As a result, it is critical to implement a proactive system of detection in order to actually flag data and activities that may be subject to a threat in the first place1.  Once pertinent data or activity is identified, the company will have better ability to decide how to protect it or whether additional protection protocols are necessary.

  1. Development at All Levels

Data loss prevention largely occurs because of employee error or accident.  But, the past was stricken with feedback often occurring after the fact or only certain levels of employees receiving the necessary training.  2017 data loss prevention initiatives should include active development of all levels in order to prevent significant inadvertent data loss.  These initiatives focus on the importance of providing the necessary training to all levels in the company and not just a select few.  The benefit of involving all personnel is that this creates an organizational culture focused around preventing data loss.  Said differently, organizations in 2017 should be intent on rallying the entire organization from the top down and bottom up to ensure data loss prevention strategies are implemented on a company-wide level3.

  1. Continued Move to the Cloud

As with many other applications, 2017 developments continue to push data to cloud-based platforms.  This is driven heavily by the sustained use of mobile which keeps data moving between sources.  This mobile data opens doors to data loss since most of the time users transmit the data well before they are logged into a regulated system.  2017 developments include a focus on using cloud-based platforms to better assist in predicting mobile data as well as to better discover and to understand potential gaps2.

Emphasis should also be placed on the balance between controls that offer oversight and efficiency.  Many traditional systems involving cloud platforms prevented data loss but were paired with extreme inefficiency.  Said differently, there were traditionally a number of applications that monitored mobile data that caused processes to be bulky and overdeveloped.  2017 developments should include processes focused on bolstering protection and efficiency simultaneously2.

  1. Managed Services

The field of data loss prevention continues to experience rapid growth.  Companies are continually drawn to data loss prevention initiatives in part due to lack of resources and time to monitor internally; however, additional drivers include increased regulation and large scale changes in breadth and depth of data reach.  Often times, companies are not even aware of the volume of data that needs to be protected.  The solution often lies with managed services, which leverage outside contractors who are better skilled at handling data loss prevention.  Managed services should be considered since they offer an independent vendor who can better monitor systems without the potential for insider bias2.

Data loss prevention continues to be a hot topic in 2017 with significant developments.  These developments include detecting at risk data, company-wide education, cloud movements and managed services.  As these services expand, the goal is to cut down significantly on costly insider data breeches that could have substantial negative impact on the company.

 

 

Citations:

1Friedlander, Gaby.  “The Connection Between Insider Threat and Data Loss Prevention.”  Observe IT.  2015 November 2.  https://www.observeit.com/blog/connection-between-insider-threat-and-data-loss-prevention.  27 February 2017.

2Reed, Brian and Kish, Deborah.  “Magic Quadrant for Enterprise Data Loss Prevention.”  Gartner.  16 February 2017.  https://www.gartner.com/doc/reprints?id=1-3TPE5D0&ct=170216&st=sb&mkt_tok=eyJpIjoiTURZeU9UTTFZakE1Tm1aaiIsInQiOiJtT01IY0pKYTZYQm9HKzJCYlBZUUhvZ2x2d3pTRjdSVWRObnhyUFBsMEx0bVBaWmQ1NGFXVWJcL0d0Vm1FXC8yYkhUZW1YdWhWYzRGY1wvVmhrSjFuUkRlRVNqZlFnS0c3S0NsTDVGdElNaWt0clphSTFBWFhNb3JjaXFSTjhZOGQ3WSJ9.  23 February 2017.

3Brittain, Jac.  “Retail Technology Trends Shaping the Future of Loss Prevention.”  LPM Insider.  2016 November 28.  http://losspreventionmedia.com/insider/loss-prevention-technology/retail-technology-trends-shaping-the-future-of-loss-prevention/.  27 February 2017.

Building a Better Data Loss Prevention Strategy in 2017

Data loss might not seem preventable when you have no plan in place. You might (correctly) think that threats are coming at you from every angle.

But when you sit down and create a data loss prevention strategy from scratch, the idea of preventing this loss becomes much more clear. That’s why we’ve broken down a few of the simplest steps for drafting a data loss prevention strategy that will keep your company covered in 2017:

Step One: Evaluation—How Successful Was Your Strategy in 2016?

When looking back at your performance in 2016, the answer should be obvious: was your strategy sufficient or not?

If it wasn’t, then you’re looking at an overhaul. Specifically targeting the prevention of data loss from an internal perspective should be one of your chief priorities.

If it was, then now’s the time to innovate and stay one step ahead of the curve. What can you do to improve on last year’s performance? How might you stop data loss from internal leaks? What are the best practices you can implement as soon as possible to have a dramatic impact on the quality of your 2017 data security?

These are the essential questions you need to ask if you want your strategy to be better in 2017. Be brutally honest with yourself as you evaluate. The more honest your evaluation, the better your chances are for 2017.

Step Two: Figure Out Your Biggest Threat

After evaluation, one of the most important questions you can ask is where you think the biggest threat to your data security will come in 2017.

Will it come from an external source? Do you need to prevent hacking and phishing as you look at ways to stop data loss?

Or is the more nefarious threat from internal sources who have greater access?

Chances are, if you’ve already taken some steps to shore up your data security, the biggest threat will come from the inside. Some of these urgent threats include:

  • Contractors
  • Employees
  • Business partners
  • Compromised internal accounts
  • Careless treatment of security by insiders (non-malicious)

If it sounds incomprehensible that your data loss might come from the inside, remember that many organizations just like yours struggle with these threats every single year.

Whether a data leak occurs because someone on the inside has non-malicious intent or malicious intent doesn’t matter. What matters is identifying these threats before they happen so you can take steps to prevent them.

Step Three: Address the Top Issues

Now that you know a few of these top issues, your data loss prevention strategy needs to address them.

Simply put, how are you going to prevent data loss now that you know what the threats are?

Try taking an approach that’s just one step at a time. For example, you might focus on data breaches from contractors. There are a number of steps you could take here, including examining your current contracts and how IT is managed with contractors. You can look at what each contractor has access to when it comes to your private data. Do they have more access than they need? If so, trimming this access is a great first step.

Addressing one issue at a time might feel slow, but it’s a perfectly valid strategy when it comes to data loss.

Although you can’t plan to cover every single possible leak in data loss prevention, simply taking action rather than putting data loss on the backburner will help you build a stronger and more flexible organization when it comes to handling data loss.

Step Four: Choosing Your Area of Focus

Finally, you have to pick where you’re going to focus.

For many organizations, this will be where you’re most vulnerable. Maybe back in step one—when you did your evaluation—you found that one data loss area might be your weakest. While that can be alarming in one sense, the good news is that you’re now aware of this problem before any major data loss event.

Choose the priorities that will make the most difference in your data loss prevention. If you have quality defenses from external threats but none for internal threats, make that your focus, and vice versa.

The key here: keep in mind that data loss prevention isn’t just identifying the issues, but taking positive steps to intervene and install new best practices.

With the right strategy in place, you’ll have a far better chance of preventing data loss and enjoying a more secure company environment.