Had a couple of interesting customer meetings this week where the same topic arose…
Both companies where looking at how to prevent data leaking out of their businesses or as the imaginative title of this article suggests, how to stop data walking straight out the front door.
The crux of the challenge, we all decided, was that there really was no magic bullet to the problem and certainly not one solution we could think of.
The solution to the problem is a multifaceted one, there is a range of things that these companies need to consider as they try to ensure that they mitigate the risk as much as is practicable…
What’s the risk then?
A good place to start…what risk are we actually talking about?
Well pretty sure we all agree that for many of us, data is absolutely critical to our business, in some industries the intellectual property contained within our data is our business, losing that we may as well close the doors and go home…
the intellectual property contained within our data is our business
and it’s not even the loss of intellectual property that can have a dramatic impact on our organisation, in the case of the two I spoke with this week, both of these businesses where liable to regulation that if certain types of data left the business and they couldn’t show that they had taken appropriate action to stop it, then they could lose a licence to operate, risk huge reputational damage, which would lead to loss of customers and significant loss of income putting the business at risk.
The stakes pretty high then, but even if the stakes in your business are not quite that high, have a think about what the impact of inadvertently having sensitive data from your business been seen by people who you rather they didn’t, employees, competitors, press – all of these can have a hugely negative impact on your business both financial and reputational.
What to do?
Well as you take the time to read this BLOG it’s only fair that I try to help you protect your business and share some of the things that we felt where appropriate steps in the businesses we where speaking to, to help them prevent leakage of data.
Well as we said back at the start – there isn’t a magic bullet or one step process. A strong data leakage prevention strategy is made up of a number of things – so below are 5 things that can hopefully get you started –
1. Get buy in
Before you embark on what is potentially a complex solution – it’s important that you have buy in from key stakeholders in your business, you need top level support of course, but also ensure that everyone understands the impact of data leaking out of the business, the impact on long term security of every ones job.
2. Understand your data and how it is used
Once we have buy in, it’s important we understand what our data is and who has access to it.
Use data governance tools such as Varonis DatAdvantage to get a full picture on where your data is, what’s contained within it and who has access to it.
Understand the results of your governance tools and ensure you apply appropriate data security so that we begin to limit the risk and that only appropriate people in your business have access to the data they need.
Oh by the way, knowing this is not a one off task, ensure that you constantly monitor for changes in access to data.
3. Understand the points of risk
Now we have a view of who has access to what and we’ve addressed any anomalies, let’s look at where data could potentially walk out the door.
It can start with corporate tools such as email and instant messaging, but increasingly cloud tools such as Dropbox, public cloud storage solutions and of course old favourites, USB sticks, smartphones, tablets and other mobile devices, all of these are routes out of the business, understand the tools that operate within your business those you know about and of course those you don’t (remember their are two types of Dropbox using businesses, those who know they run it and those that don’t!).
4. Securing the points of exit
OK, now we have an idea how the data can get out of the business, we need to start looking at securing it.
Although we used our data governance tools to ensure only the right people have access to data, who’s to say that the right people don’t accidently (or otherwise) allow data to leak out, and of course what if the right people aren’t the right people! (what if they’ve had a password compromised for example).
Again, this isn’t a magic bullet type of solution, there’s lots of tools working together to try and secure our networks.
For example, if you are a Microsoft house are you aware of some of the tools available to you?
Rights Management for example, the ability to assign controls on your data, so that for example a word document maybe can only be read and you can assign rights to it that say, outside of that, it can’t be printed or forwarded in an email.
As we alluded to above, this rights management can be extended into applications such as SharePoint and Exchange to assign rules to data, stopping them from been used inappropriately.
We can also add solutions above and beyond this, that can monitor data traffic as it moves around the network, looking for sensitive data before it moves outside the business, there are plenty of tools on the market that do this kind of deep inspection and blocking, the likes of Entrust, Comodo, Symantec and McAfee all have common solutions that can help enforce DLP policies.
Outside of this, look at those devices that leave you network, make sure you protect them, solutions such as WinMagic for encryption or Druva for mobile device DLP, alongside the big mobile device management players, ensuring that your mobile devices are secure, minimising the risk of data leaking from these devices once outside the business.
5. Education Education Education
Last but by no means least – educate, make sure you have polices and procedures in place, but not only that, make sure your users fully understand them and that they are front and centre in there minds, not only using clever technology (something like NetConsent for example) but, ensuring as we said earlier, that the entire business understands the risk and is bought into it, in the end all the smart technology in the world won’t help if your business just doesn’t care.
All the smart technology in the world won’t help if your business doesn’t care
Don’t get me wrong, this is no exhaustive list, however in those couple of meetings these where the kind of common steps we identified as things that a business should look at as it tries to mitigate the risk of data leakage.
In the end both of these businesses realised that they could only take practical steps to a reasonable level, if someone was absolutely determined to steal data and leak it out of the business it would be almost impossible to stop, however it was crucial that they took the appropriate steps to reduce the chance of data leakage apart from in the most extreme and determined cases of theft.
I hope some of these steps I’ve shared you find some practical use, I’ve listed a few resources from solution providers I’ve mentioned if you want to check out some further details on DLP for yourself.
If you’ve got some comments you think can help, please post them on here or of course you can contact me on twitter or Linkedin.
Good luck and don’t let your data walk out the door!
Links to some of the solution providers mentioned in this article;
Techstringy 