Data Loss Prevention Strategy
In most cases of company data loss, the company will have no idea that it happened, where the data went, or who took it. More often than not, for either scenario, is that there was no data loss prevention strategy in place within the organization.
There is a lot to consider when putting together a DLP (Data Loss Prevention) Strategy. The bigger the company, the bigger the problem and the harder it is to solve, but do not fool yourself into thinking that it will not happen to you. The basis for a DLP strategy is to prevent users from sending sensitive or critical information to a location outside the corporate network.
However, in a comprehensive DLP strategy, network administrators also use software to control what data users can transfer both internally/externally and to control the movement of data to unsecure removable media or other devices.
Software is a big part of a data loss prevention strategy.
These types of software allow the company to set business rules on how you classify and protect confidential information, beyond the typical Microsoft permissions, preventing accidental sharing by unauthorized users. A word of caution though, there is an ongoing struggle between convenience, budget, and security that often come into conflict when you add another layer of security to your network.
Corporations need their people to be productive but, we also have to understand the human factor of who we are and that people do copy information about your customers, vendors, and suppliers off your network and take that information with them to their next job. As important as a DLP strategy is, it is also something that you can step into and allow a culture of security take hold within your organization over a long period. Therefore, the process of implementing a DLP strategy is something to really think about and plan.
You maybe be asking yourself the following:
- Do I really need a data prevention loss strategy?
- How big of a problem is this?
- Is it really worth your time and investment?
According to a Verizon Data Breach Investigation Report in 2017, 60% of data breaches can be tracked back to employees, where financial gain was the motivation. Which in some cases could be in the form of a new job offered by a competitor. Most of this data was in the form of trade secrets, sales projections, marketing plans, and in some cases personal information of other employees. This type of information is extremely valuable to competitors and on the data black market.
The whole purpose of a DLP program is to protect your data from the biggest risk which unfortunately is your own employees. According to a McAfee report, “Grand Theft Data”, internal users were responsible for 43% of data loss, media theft accounted for an additional 40% of theft and the most common data stolen (23%) were in the form of Microsoft Office file formats. The same study outlines that 64% of data security experts felt that a DLP strategy would have prevented the data loss.
“60% of data breaches can be tracked back to employees, where financial gain was the motivation.”
Your mobile devices as a part of your DLP strategy.
Regardless of your choice to use an Apple or Android product, make sure that you take the time to secure your device and that you have the ability to remotely wipe the device in the event it is lost or stolen. Make sure that you have properly configured your privacy settings because there are a number of new apps that have the ability to sync data, track locations, and to push notifications and location information. All of these features are great for the average teenager but in the business world these are not so great.
Other mobile data protection tips
- Back up your mobile devices regularly.
- Disable Bluetooth when you are not using it.
- Turn off WIFI unless you are connecting to a WIFI system you know is secure. Other times you should use your cell providers network as it is much more secure than WIFI.
Corporate data is always a huge target for employees, competitors, and of course the data black market.
When it comes to planning your DLP strategy, a significant factor to consider is Data Prioritization. Not all data has the same value so you have to take a very objective look at the data and decide what would have the biggest impact if it were stolen or made public. Another point to consider is your own awareness to a data risk and how you would identify who was the offender.
Data risks can be reduced with:
- Proper archiving of data
- Limiting the rights; such as the ability to change or modify files and in some cases to copy or move the files
- Adding another layer of encryption to further secure data
However, data is most vulnerable when it is on the move. Data could be vulnerable when shared with email, removable media, print media, or when it transferred between remote workspace or offices.
The Misconceptions of DLP
There are some popular misconceptions about DLP strategies such as it can cause latency on the network. Most DLP software manages both endpoints for data on the move. The tags used to control the data movement are quick and easy to read by the software at both ends.
Another misconception is the idea that DLP programs will not work outside of your network. In some cases, a DLP program will stop data from sending out of your network. Depending on how you configure your DLP program, the controls can be placed at the data level and not the device level. This will allow the program to work both internally and externally.
There is also the common misconception that DLP programs will hurt productivity. New versions of DLP software place the controls at a data level, where users who are following corporate policies and procedures see no impact from an operations perspective.
By Scott M. Lewis, President / CEO Winning Technologies, Inc.
About the Author: Scott Lewis is the President and CEO of Winning Technologies Group of Companies. Scott has more than 30 years of experience in the technology industry and is a nationally recognized speaker and author on technology subjects. Scott has worked with large and small business to empower them to use technology to improve work processes, increase productivity, and reduce costs. Scott has designed thousands of systems for large, medium and small companies and Winning Technologies goal is to work with companies on the selection, implementation, management and support of technology resources.