Some statistics first –
• Only 38% of organizations believe that they are adequately or very adequately protected against data leaks that might occur in their e-mail systems and only a third are protected against leaks that might occur through instant messaging systems. Organizations are only slightly more protected against leaks that might occur in their unified communications infrastructure.
• Organizations are even more concerned about unintentional or accidental data leaks that might occur as employees are rushed, forget corporate policies, and forward sensitive data in an e-mail unintentionally, etc. Nearly one-half of organizations are concerned about these data leaks, which they perceive to be even more serious than intentional data breaches or data stolen by malware, such as keystroke loggers.
• With regard to data leaks in current or future unified communications systems, 11% of organizations consider information leak protection to be a top priority, while another 38% plan to address the issue.
Data loss or leakage is an important problem that many organizations have not yet adequately addressed – they will become more of a problem in the future as unified messaging and unified communications create more opportunities for data leaks to occur.
However, one of the problems with data leaks is that very often they go undetected. If a keystroke logger gets installed on a PC in your network, it will likely go undetected for some time unless the technology is in place to detect it. If users mistakenly send confidential data through e-mail, instant messaging or other systems, that practice will continue indefinitely until someone catches on. If someone is bound and determined to leak data intentionally, they might never be caught until a data loss prevention (DLP) system has been deployed.
Data loss prevention products plug a gaping hole in most company's security systems. The problem is that most security products are outwardly focused.
They try to block external attacks. That's all well and good, but it doesn't address an entire spectrum of security vulnerabilities that occur when data moves from inside the network out.
Firewalls and intrusion-prevention systems (IPS) are the basic building blocks in a sound security policy, but they don't do you any good if a laptop is stolen out of a hotel room. They don't help if insiders are transmitting confidential information via e-mail. They don't come into play if somebody uses Web. 2.0 technology, like a blog or a mashup, and inadvertently spills company secrets on the Internet. And they don't address intentional data theft by disgruntled or inept employees.
DLP products – also known as anti-data leakage – inspect content as it moves across the network and enforces policies so that confidential information doesn't escape the walls of the enterprise.
“What is driving DLP among enterprises is a combination of factors – regulatory imperatives, huge impact any data loss has on an organisation, damage to the brand and also damage to the organisation in terms of IP lost,” says Richard Archdeacon, Symantec EMEA Security Practice.
With all the hype around the technology, how can you tell the right time to get into DLP? The decision to invest in Data Loss Prevention (DLP) should be based on how ready you are as an organization. The real decision to invest in DLP will be based on your organization's maturity, not that of the market. DLP solutions aren't like many other security tools that operate, for the most part, outside the business. Not only does DLP protect sensitive data that needs to be defined by the business, but the policies on how that data needs to be managed and the workflow for handling policy violations all needs to be a partnership between security and the business units. Also remember that DLP solutions will stop some malicious attacks, but are more for preventing accidental disclosures and identifying bad business process. You need to answer questions like:
* What content do we need to protect?
* How are people allowed to use it?
* How do we want to manage policy violations?
* Should we involve HR? Or Legal?
* Who will be responsible for handling and investigating violations?
Nearly every DLP provider will come in and to a “risk assessment” where they deploy the product in a monitoring mode for a few days and present you with a report of what you've seen. If you're seriously considering DLP, pull together the main business units with a potential stake- HR, legal, finance, and IT are typical, bring in one or two vendors, and see what kind of results you get. Pull everyone together in one room, review the results and you'll quickly understand if you're ready to deploy DLP or not.
And remember data loss is a people problem rather than a technology problem. “Technology can help you discover, classify what is important and what is not. When it comes to people, security managements now to have focus on have to focus on culture changes within their business, not just technology changes. How could business understand the value of its data? It’s a question of using the technology to do the discovery, identity by content, classify it and use that information to work with business to change the cultural value of an organisation to understand security of data is important,” sums up Archdeacon.