Tiago Gomes, flash business manager, Kingston Technology
The increase in the volume of data that is being exposed by breaches means there has never been a more critical time to adopt a data loss prevention (DLP) approach. While the breaches that make headlines often happen to large, globally-known organisations, a study by Intel found that 70% of data loss incidents in smaller, commercial organisations still warranted public disclosure. For companies, the risk of a breach is not just to the security of sensitive data, or to their brand reputation but the double whammy of regulatory fines and negative commercial impact. A report by IBM published in July shows that the average cost of a data breach in the UK in 2022 was £3.8 million.
Minimising the risk of a data breach is a challenge that network teams wrestle with on a daily basis, and as always, the best approach is prevention. By adopting a set of strategies which combine both processes and security tools, companies can put up barriers that halt unauthorised access to data, stopping it from falling into the wrong hands or being lost through human error.
Of course, data security should be the concern for everyone working in an organisation and for DLP to be successful, a company-wide approach led from the top is essential. Of the security tools that will form part of the programme, strong encryption is key to ensuring data cannot be leaked, however, if there are any weaknesses in implementation, these will be detected by cyber criminals, so attention to detail is paramount for success.
Best practices for implementing data loss prevention
To get the most out of a DLP approach, it’s best to start with an assessment of the data that the company holds. Some data will be more critical than other data and this should be given priority in terms of ensuring it is protected. It helps to classify data according to context, and the classification could be associated with the source app, the data store, or even by who created it. This will make it easier to track.
While responsibility for implementing DLP lies mainly with CISOs and the network team, the CFO and CEO will need to sign off the budget for the programme. This means presenting a strong case of the benefits for individual business units, the efficient use of assets and resources, and the ability to address pain points and minimise risk. Senior advocacy will help with the smooth implementation of DLP policies and encourage support from department heads.
Companies should understand what their objectives are for DLP. These might extend beyond simply prevention, to ensuring regulatory compliance, protecting an IP, or achieving improved data visibility. Identifying what matters most makes deployment of DLP more efficient and, in the long term, more effective.
Defining the approach is essential. If a company takes a project approach, for example, it can start by focusing on data of a specific type. Discovering and automating the classification of the most sensitive or critical data is a good place to start. However, whatever classification of data is chosen first, it must be applied across all departments to ensure consistency.
Internal guidance can help to cut the risk of accidental data loss by employees. Advanced DLP solutions will provide user prompting which notifies employees that use of certain data will contravene company or regulatory policy, or, alerts them if their activity is deemed risky. This might include attempting to forward business emails outside the corporate network perimeter or uploading critical files to unauthorised cloud services.
To that end, companies should be aiming to gain an understanding of how the data in their organisation is being used. Monitoring data in motion will help to identify risky behaviour, particularly in relation to sensitive files. In the hybrid working environment, data is at risk during transit or when it is used on unprotected endpoints. A DLP programme will account for this increase in risk.
Metrics are important for gauging the success of any strategic programme, and DLP KPIs should be agreed in advance and have the support of the entire organisation. Assessing the KPIs will allow for improvements to be made, and to determine the value that DLP is bringing to the organisation.
Preventing data loss means investing in the right tools, and one of the best ways to do this, without compromising existing workflows, is through hardware-encrypted hard drives. These are available in different models, designed to suit organisations of all sizes and are invaluable in shoring up defences and bolstering DLP programmes.
Data loss prevention is evolving in line with the explosion in data and the expansion of attack surfaces and now incorporates managed services, cloud storage and functionality, behaviour analysis, insider threats, and advanced threat protection. As work habits change and companies expand their hybrid work environments, regulations are being updated to reflect new risks. This means that the need for personal information protection and compliance, IP protection and data visibility – the three tenets of a data loss prevention programme – becomes more acute.
A level of commitment is needed to ensure that DLP is successful, and it will require constant re-tuning as business processes or changes to data evolve. Maintaining the programme will depend on continuous delivery improvements and timely measurement. If the DLP can be shown to have successfully combatted a data loss risk or helped to resolve a cyber incident, this will be valuable proof that its deployment was worthwhile.