Highly publicised events have demonstrated that it is now more difficult than ever to protect an organisation’s internal data. Advances in technology and productivity tools have made collaboration in the workplace easier, while also creating new vectors for data to leave the organisation.
As with any frontier, the increasing fluidity of data presents unprecedented opportunities for growth and expansion. However, with these opportunities come new potential for data loss. In order to protect data in the burgeoning landscape of Big Data, cloud computing, social media and BYOD, enterprises must pinpoint potential problems and leverage loss prevention solutions.
According to Guurprit Ahuja, Director, Middle East and Africa, Acronis, these leaks in data are on the rise. “Over the last two years the volume of enterprise data loss has increased by 400 percent,” he says. This alarming rate is a clear indication for IT enterprises to take action in order to protect their data.
In short, companies must find the holes through which their data is leaking. “Data breaches caused by malicious actors make headlines,” says Ahuja, “but companies must also be aware of risks that come from within. Often, these risks derive from well-intentioned employees who accidentally delete or misplace valuable data.”
Whether from inside a company or from external influences, intentional or not, data loss most commonly takes place via the Internet. Patrick Grillo, Senior Director, Solutions Marketing, Fortinet, points out, “Email, phishing websites, social media and cloud computing are the most common vectors for data loss companies face.”
The Internet is not the only source of data loss, however, and enterprises must take care to protect against data transfers through flash drives and mobile devices. With BYOD a growing trend, data can even be lost by something as unintentional as a misplaced personal mobile device.
Simon Mullis, Global Technical Lead, Strategic Alliances, FireEye, recognises the uphill battle enterprises face with data loss prevention. “Information security is an inherently asymmetric fight,” he says. “The house we are trying to protect has ten thousand doors, and the attacker only needs to sneak through one of them. A determined attacker will choose the most appropriate vector to steal data from you, and therefore companies need to be vigilant across all vectors of potential data loss.”
In order to mitigate data loss, many companies look to building a comprehensive security policy. According to Grillo, “A security policy effective against data loss must encompass the entire network from the endpoints, to the data centre and everywhere in between. The policy,” he says, “should focus on three key areas: detection, prevention and mitigation.”
In terms of prevention, Mullis points out the resurgence in content-aware DLP solutions in the last year. “If a company is looking to protect against theft or leakage of structured data, than this can be a useful approach,” he says. “However, it is clear through countless examples, that corporate data of all shapes and sizes can be easily encoded, obfuscated, encrypted and stolen by simple malware toolkits. Many of these malware toolkits have become adept at avoiding detection.”
The sophistication of malware presents a difficult obstacle for companies to mitigate with most DLP solutions. “The problem,” Mullis explains, “Is that most DLP technologies often require enterprises to classify all of their data in order to appropriately detect and prevent unauthorised leakage, but this classification process is a massive undertaking for most companies. In addition to classifying data, a company must manage the DLP system including the influx of false positives that are inevitably going to be reported, and advanced attackers have developed innovative techniques for circumventing some of these solutions anyway.”
In order to truly initiate an effective data loss prevention solution, Mullis suggests a combination of the right technology mixed with the intelligence and expertise of a well trained workforce and IT department.
Ahuja reminds enterprises not to forget the basics in their fight against data loss. “Regular data backups,” he explains, “especially using cloud computing, allow for a faster recovery time in the event of a data loss incident.” He also reinforces the notion of a workforce well trained and educated in the importance of DLP. “Give employees practical strategies to avoid common mistakes, like opening unknown email attachments or downloading apps from unknown sources,” he suggests.
There are a number of DLP technologies currently on the market, each offering their own steps in the continuing dance of protecting important data. Grillo suggests enterprises consider a layered approach, combining multiple systems, for effective DLP. “Network firewalls with complementary security services, web application firewalls, secure email gateways, sandboxes – breach detection systems – and endpoint protection software should all be components of any security structure and some elements, such as the secure email gateway can also have distinct DLP technology inside,” he says.
Even with all of these systems in place, it is important for enterprises to realise that they are not “safe” from the threat of an attack. According to Grillo, “DLP technology will not reduce the risk of an attack but can increase the odds of successfully minimising the damage from a network breach or a deliberate effort to extract data from a network. No single technology can prevent an attack from being successful, but of the multiple technologies working collaboratively across the whole of the network, sharing common threat intelligence is the optimum approach to defending a network and minimising the chance of a hacker successfully breaching the network.”
Arming a serious cache of DLP solutions is certainly an important strategy in keeping enterprise data secure, even in the event of inevitable attack. Another effective strategy is reducing the area available to attacks and accidents alike. Ahuja suggests companies make the effort to classify data in order to aid in DLP.
“For the sake of DLP, an enterprise should develop a set of data classification standards to identify data that is critical for day-to-day operations and ensure this information has the highest restoration priority in the event of a loss,” he says. “Access is another way to protect your data: Ensure that only employees and executives directly tied to a project have access to pertinent information — the fewer points of compromise, the less likely a breach or loss.”
Another way for a company to protect its data is by implementing some basic, easy-to-follow policies. This may seem like a rudimentary step when one considers the amount of research and development that goes into DLP solution software, however, it is often errors in the endpoint user that lead to most incidents of data loss and security breach. A well-trained and educated workforce with good DLP habits can be an effective tool in the fight against data loss.
“One example of such basic, yet significant policy is the 3-2-1 rule,” explains Ahuja. “If you’re backing something up, you should have at least three copies, in two different formats, with one of those copies off-site,” he says. “This rule is used to eliminate single points of failure, leverage the backup on different types of media storages, and always keep a copy of this data offsite on the cloud or on tape.”
Grillo agrees with implementing easy-to-follow procedures for employees to help DLP. He even encourages companies to be proactive in the testing of these policies to make sure they are being followed. “Once policies are in place and employees are well educated about DLP strategies and threats, companies should periodically launch their own phishing campaigns to make sure that employees do not become complacent in their actions,” he says.
He also points out the need for an enterprise to have policies in place for what to do after an attack has been made. Grillo suggests, “Companies should also implement a set of policies and procedures that employees can follow in the event that they do fall prey to a phishing email. The employee should have a non-punitive recourse to fall back on, informing the organisation of their actions, giving the IT department a ‘heads up’ that there may be a potential intrusion.”
The battle for the protection of data will only continue to grow more complex as technology develops new ways to share information in faster and more innovative ways. Companies must stay abreast of the latest DLP solutions, but always remember that a few basic policies are also invaluable tools for preventing data loss.