You’d have to be on another planet to miss the stories of data loss by major companies. It seems amazing that this could happen in an age of encryption, fire walls, and hyper-high tech security. Yet it does.
As a consumer and technology professional, I’ve witnessed first hand that Data Loss Prevention (DLP) software, designed to prevent inadvertent or accidental loss or exposure of sensitive information, doesn’t always work. Many organizations never realize the power of their DLP solutions because of a lack of user education and weak support for comprehensive strategies.
You must have a solid DLP strategy to satisfy the regulations most organizations face today. A good DLP strategy consists of three key elements.
- Monitoring software
- Employee Education
- Tools to Secure Data While in Transit
Monitoring software is the forte of packaged DLP solutions and allow monitoring multiple network protocols like IM, FTP, HTTP and generic TCP/IP to identify sensitive data that may be at risk. Scans allow you to identify broken business process that may be exposing confidential data, like an FTP server sending unencrypted customer information to a trusted third-party or an employee sending out customer data or intellectual property that violates data security policy. While these tools are extremely helpful, they typically just allow you to identify the issues and not create the action to be taken. The rest of your DLP strategy needs to focus on your response.
Education is a very key step. It is essential to conduct employee training and make sure everyone involved can identify sensitive data and know what to do to ensure data isn’t at risk. This includes teaching people not to send certain information via unsecure channels such as email, or FTP. Employees need to be trained on tools that will allow them to ensure they comply with security policies but can still effectively conduct business. An effective education program is not a onetime event, either, but is something that must be done on a regular basis and must be built into the culture of the organization.
But education alone doesn’t address the problem. There is legitimate business need to move information that is sensitive in nature and therefore use tools that allow employees to maintain the security of data while in transit. The problem…most organizations never establish a corporate standard for how employees do this. End users end up leveraging consumer-focused web solutions that don’t have an level of security and control. At least not the level corporations require to ensure the security and integrity of sensitive information. A corporate standard must be established, and depending on your industry an on premises solution may make the most sense.
In today’s environment, with regulatory requirements and heightened sensitivity of investors and customers, this is a topic to take very seriously. While DLP software is a critical part of the overall strategy, both education and the right tool set complete the story.