Tactics that involve prevention and protection always need constant upgrading, changing and reworking. As technology changes and people find new workarounds, so to do you need to continue finding new ways to upgrade your data loss prevention strategy. Obviously, this can be quite time-consuming and costly for small to medium enterprises, particularly, so a sensible approach is to consider when and why you should be looking to improve your data loss prevention (DLP) strategy. This knowledge will allow you to prioritise your company’s resource effectively to help protect against any breaches.
Know the culprit
While much of the attention about data loss points to outside threats from cyber-attackers, it’s estimated that more than 40% of all data breaches occur internally. These can be intentional, but they can also be due to just a careless click of the mouse. Being aware of how your data could be lost, is the first step to upgrading your strategy.
Assess your sensitive information
It’s not entirely realistic for a small or medium sized company to have a mammoth DLP strategy that protects all of the company’s information to a very high level. Nor do most companies want that as it often comes with an increased level of administration that would significantly decrease an employer’s output, were it to be applied to every file in the company.
So, assessing the files that your company has is crucial to know when to upgrade your DLP strategy. The easiest way to do this is to look at the worst-case scenario for each set of files that your company has. If someone were to accidentally send a file to the wrong person, or maliciously release it to the public, what would the ramifications be for your company, both in terms of financial and that of reputation.
Then, qualify your data files into groups – high risk, medium risk and low risk. Most companies with internet security and data loss protection strategies will have all-encompassing security that includes all files, even those low risk. It’s the high risk and, to a lesser extent, the medium risk files that you need to have a strong DLP plan around.
It’s also worth being mindful of whether the strategy covers new files that are created. Is there a process that qualifies this data into the ‘risk buckets’ mentioned above? Your DLP strategy is only as good as how it’s being implemented. If you find that there are gaps when you go through the process yourself, it’s time to look at an upgrade.
Accepting technological change
It can be difficult for companies who have invested a great deal in a solution to look at making significant changes to it. Often there are stakeholders or other parties who may not realise the necessity in doing this and therefore the cause also has to be justified.
However, one of the biggest weaknesses of all DLP strategies is that they are reactive. They constantly have to be told what to look for – the kinds of encryptions and data formats, for instance. As we all know, technology is changing and progressing at an unprecedented rate. Because of this, those encryptions and formats are constantly changing and therefore an effective DLP strategy should be updated accordingly.
So, when? Well, the answer is constantly, but the good news is that there are plenty of affordable solutions of technology that can fill the gaps in your DLP strategy, rather than completely reworking the entire thing – an unnecessary exercise. Software such as classification software can help to combat the issue above and only serves to strengthen your DLP strategy in a cost-effective way.
Although it would be nice to have a set of rules in place to know exactly when to upgrade your DLP strategy, such a set of rules would be unrealistic and not flexible enough to take into account all of the changing variables. Instead, an approach that involves a full assessment, qualification and reworking is best when considering an upgrade.