Home: Issue 3 2009 › Lead Story › Detect & protect
Detect & protect
02/07/2009 | Channel: Information Technology
David Stanley looks at data loss prevention – the risks, solutions, and rewards
Email remains the most important medium for communication both inside and outside the enterprise. But the convenience and ubiquity of email as a business communication tool has exposed enterprises to a wide variety of associated legal, financial and regulatory risks.
In a recent survey of large UK enterprises, we found nearly 50 per cent of large UK enterprises had investigated a leak of confidential information via email in the past 12 months. Protecting a business’ confidential information - and customers’ private data - has never been more crucial.
The near universal use of email as both a communications tool and as a de facto filing system makes all types of data leaks - inadvertent, well intentioned or even malicious - more likely than ever. As a point to note, our survey (with data collection by Forrester Consulting), Outbound Email and Data Loss Prevention in Today’s Enterprise, May 2008, revealed 44 per cent of UK businesses were forced to sack an employee for violating email policies in the preceding 12 months and 78 per cent disciplined an employee for such activity.
With increasing amounts of company data found on email, it is imperative the medium is as the forefront of any data loss prevention (DLP) strategy.
However, catching accidental or malicious data breaches can be tricky because most organisations don’t have the resources to manually monitor all outbound communications, having an automated, email-centric DLP strategy is paramount.
Implementing a DLP strategy
Data loss prevention strategies and technologies for email can help protect valuable information assets while also addressing increasingly complex global compliance requirements and enabling more secure and efficient business operations. Several factors should be taken into consideration when putting an effective DLP strategy in place.
Firstly, the need to determine what types of data you should be monitoring and protecting. It is critical to know how employees are using information within the business and also important to factor-in the various ways employees communicate with the outside world.
Matching DLP rules and policies to your organisation’s security and compliance needs will align the strategy with wider businesses practices. If those policies are developed in isolation, their impact will be negligible.
Knowing what success looks like is a key factor in all aspects of business, not least protecting one’s company. Therefore deciding which features are most important when evaluating DLP technologies should be at the forefront of IT managers minds when looking at the various technologies on the market – a clear view of what they need to satisfy their exact requirements. Equally, if a strategic policy is not already in place, a base line should include financial identify info, personal id data and in some cases, child info data.
A DLP strategy should not be designed to make anyone’s life harder. As such, it must enable secure business communications, without impeding your normal flow of business. Losing time, money, or customers is not an option in today’s economic climate.
Lastly, DLP policies should stay current with your organisation’s evolving needs. It is important to ensure the DLP strategy is malleable to external influence and internal change. If it is too rigid it will not be affective in what it originally set out to achieve – protecting the business’ employees, reputation and essentially, profit margins.
Development and education
Putting the technology in place for a successful DLP strategy is important, but it’s only one element of what should be a wider approach. Employee education is a critical factor in protecting a business’s reputation. Research confirms user error is one of the primary causes of data loss. According to Paul Proctor, research VP at Gartner: “Through 2010 we expect 80 to 90 per cent of sensitive information leaks to be unintentional, accidental, or the result of poor business processes.”
Employees need to be involved at each stage of strategy and policy creation, so the resulting guidelines, technology and rules fit seamlessly into their working lives.
Email policies define exactly how employees should use email, and what is and is not acceptable content entering and exiting the enterprise. Educating employees in these policies will protect them from inadvertently violating them, and also protect them from falling prey to phishing, pharming and other inbound email attacks.
Whether your policies relate to email or to newer communication tools, there are some good steps to follow to create your own effective policies. To begin the policy discovery process, you need to assemble the appropriate personnel for brainstorming sessions and interviews. This group should include executive, finance, legal, IT, security and human resources personnel. The beginning stages of policy discovery can start with some simple questions and then move to more directed questions. Start by asking:
IT and data centre managers should look for effective, established and proven partners capable of providing ‘set it and forget it’ technology solutions. This means solutions that do not require extensive manual tuning or other IT support, so once they are deployed IT can focus on other matters. Having pre-built policies for common data protection scenarios is extremely important.
Don’t forget, many vendors will gladly work with your company to assess your organisation’s risk profile and identify and quantify the outbound email risks specific to your company, which can be a great help in building a business case for deploying improved data protection technologies.
David Stanley is managing director EMEA at Proofpoint. Proofpoint secures and improves enterprise email infrastructure with solutions for email archiving, encryption and data loss prevention. Proofpoint solutions defend against spam and viruses, prevent leaks of confidential and private information, encrypt sensitive emails and archive messages for retention, e-discovery and easier mailbox management.
For more information, visit www.proofpoint.com.
In a recent survey of large UK enterprises, we found nearly 50 per cent of large UK enterprises had investigated a leak of confidential information via email in the past 12 months. Protecting a business’ confidential information - and customers’ private data - has never been more crucial.
The near universal use of email as both a communications tool and as a de facto filing system makes all types of data leaks - inadvertent, well intentioned or even malicious - more likely than ever. As a point to note, our survey (with data collection by Forrester Consulting), Outbound Email and Data Loss Prevention in Today’s Enterprise, May 2008, revealed 44 per cent of UK businesses were forced to sack an employee for violating email policies in the preceding 12 months and 78 per cent disciplined an employee for such activity.
With increasing amounts of company data found on email, it is imperative the medium is as the forefront of any data loss prevention (DLP) strategy.
However, catching accidental or malicious data breaches can be tricky because most organisations don’t have the resources to manually monitor all outbound communications, having an automated, email-centric DLP strategy is paramount.
Implementing a DLP strategy
Data loss prevention strategies and technologies for email can help protect valuable information assets while also addressing increasingly complex global compliance requirements and enabling more secure and efficient business operations. Several factors should be taken into consideration when putting an effective DLP strategy in place.
Firstly, the need to determine what types of data you should be monitoring and protecting. It is critical to know how employees are using information within the business and also important to factor-in the various ways employees communicate with the outside world.
Matching DLP rules and policies to your organisation’s security and compliance needs will align the strategy with wider businesses practices. If those policies are developed in isolation, their impact will be negligible.
Knowing what success looks like is a key factor in all aspects of business, not least protecting one’s company. Therefore deciding which features are most important when evaluating DLP technologies should be at the forefront of IT managers minds when looking at the various technologies on the market – a clear view of what they need to satisfy their exact requirements. Equally, if a strategic policy is not already in place, a base line should include financial identify info, personal id data and in some cases, child info data.
A DLP strategy should not be designed to make anyone’s life harder. As such, it must enable secure business communications, without impeding your normal flow of business. Losing time, money, or customers is not an option in today’s economic climate.
Lastly, DLP policies should stay current with your organisation’s evolving needs. It is important to ensure the DLP strategy is malleable to external influence and internal change. If it is too rigid it will not be affective in what it originally set out to achieve – protecting the business’ employees, reputation and essentially, profit margins.
Development and education
Putting the technology in place for a successful DLP strategy is important, but it’s only one element of what should be a wider approach. Employee education is a critical factor in protecting a business’s reputation. Research confirms user error is one of the primary causes of data loss. According to Paul Proctor, research VP at Gartner: “Through 2010 we expect 80 to 90 per cent of sensitive information leaks to be unintentional, accidental, or the result of poor business processes.”
Employees need to be involved at each stage of strategy and policy creation, so the resulting guidelines, technology and rules fit seamlessly into their working lives.
Email policies define exactly how employees should use email, and what is and is not acceptable content entering and exiting the enterprise. Educating employees in these policies will protect them from inadvertently violating them, and also protect them from falling prey to phishing, pharming and other inbound email attacks.
Whether your policies relate to email or to newer communication tools, there are some good steps to follow to create your own effective policies. To begin the policy discovery process, you need to assemble the appropriate personnel for brainstorming sessions and interviews. This group should include executive, finance, legal, IT, security and human resources personnel. The beginning stages of policy discovery can start with some simple questions and then move to more directed questions. Start by asking:
- When is it okay to send information outside the enterprise via email, blogs and message boards, IM and media sharing?
- When is it not?
- What types of information are prohibited in the email system?
- How will data be transmitted when encrypted?
- Transactional data? Customer data? IP documents? Internal memos?
- What types of procedures will be necessary to discourage risky behaviour and enforce established policies? Punishment? Termination?
- What is our process for reviewing and revising policies in the event that changes occur or policies fail to work as expected?
- Who should have access to sensitive data, and who should not?
IT and data centre managers should look for effective, established and proven partners capable of providing ‘set it and forget it’ technology solutions. This means solutions that do not require extensive manual tuning or other IT support, so once they are deployed IT can focus on other matters. Having pre-built policies for common data protection scenarios is extremely important.
Don’t forget, many vendors will gladly work with your company to assess your organisation’s risk profile and identify and quantify the outbound email risks specific to your company, which can be a great help in building a business case for deploying improved data protection technologies.
David Stanley is managing director EMEA at Proofpoint. Proofpoint secures and improves enterprise email infrastructure with solutions for email archiving, encryption and data loss prevention. Proofpoint solutions defend against spam and viruses, prevent leaks of confidential and private information, encrypt sensitive emails and archive messages for retention, e-discovery and easier mailbox management.
For more information, visit www.proofpoint.com.
