Data loss prevention(DLP) technology
has plenty of hype blowing its sails, but it is also being carried
along by a serious undercurrent. Organisations have no choice but
to follow its drift - they have to take it seriously. UK watchdogs
the Information Commissioner (ICO) and the Financial Services
Authority will come down hard with fines, not to mention possible
public humiliation if slack security policies lead to data
loss.
And the more constructive and preventative steps taken now, the
better, experts believe.
Unless firms and other organisations are seen to be plugging the
leakage of information, they will bring greater policing on the
industry as a whole, fears Marcus Alldrick, head of information
protection and continuity at Lloyd's of London.
"People cannot ignore what the
Information Commissioner's Office (ICO) says about protecting
laptops," he says. "If it carries personal information then it is
expected to be encrypted. Unless organisations take on
responsibility for protecting information then they will get
prescribed legislation to keep them in check. "Every organisation
needs to look at leakage channels."
Alldrick has come up with some basics that are in danger of
being overlooked, including making sure disposed office furniture
drawers are clear of electronic devices or paper.
His tactics focus on making security of benefit to the business.
Another example is requiring an employee to walk to a printer and
enter identification before receiving print-outs, which is one
simple way of keeping confidential data away from prying eyes.
"This does not just have a security benefit," he says. It makes
people think before printing so less paper is wasted along with
toner, ink and so on. "I am also talking about confidential waste
being separated out from other paperwork, these things are not
difficult."
His firm tackles information leakage through a number of
methods. Networks are segregated for Lloyds Corporation, the
market, and outside network. Agents on each endpoint machine mean
it is possible to immediately spot if a foreign device has
connected to the network. Encryption and control of USB ports on
all laptops is also underway.
Encryption
He says organisations must consider whether they need widespread
or targeted encryption.
"Not everybody in an organisation will have access to
confidential information so is a one-size fits all solution
needed?" he asks. "A lot of companies are going for it because it
gives them assurance that every laptop is encrypted.
"Firms should also look at encrypting USBs, CDs and memory
sticks if they contain sensitive data. The same applies to
back-ups."
Such is the fear of repercussions for organisations in the event
of losing sensitive data that the day could arrive when a laptop
without encryption is rare.
"I have seen a huge increase in demand for encryption
technologies," says director of Vigitrust consultancy Mathieu
Gorge.
Digital rights management
Other non-obvious technologies can also play a part.
Digital rights management (DRM) - traditionally used in
preventing music piracy - could be turned upside down for the
alternative purpose of secretly sharing information, says Gartner
research vice-president Jay Heiser. And he says some organisations
are already making use of it to do just that.
"There are lots of ways to control data on other people's
desktops, such as enterprise DRM," he says.
"It is awkward to use but offers a great deal of potential for
the secure sharing of data. DRM has been used for situations (in
the music industry) where the inconvenience outweighs the
benefits.
"Citrix is another option. It allows designated users to look at
data, but not save it."
Keeping contractors under control is an ideal use.
"Outsourcers are using Citrix or virtualisation to access
information through a controlled environment," he says. "There are
a lot of really interesting experiments going on.
"With this approach, people will not automatically expect to
download data to a hard drive and do what they want with it."
Storage
Heiser believes sloppy storage of prized information on laptops
will be resigned to the past.
"It is not going to be the case where we allow widespread
storage of personal data on laptops and data sticks," he says.
"We expect laptop and hard drive encryption to become
ubiquitous."
Organisations can rely on encryption and port control to take
care of the two most common channels for information loss,
according to Edy Almer of Safend, which specialises in data
leakage.
"They both cover the two most common leakage vectors - copying
to external devices, and loss of devices/machines," he said.
The next on the list should be e-mail and web filtering
products, which offer protection from web and e-mail leakage. "It
is definitely possible to plug leakage but you can never avoid 100%
of incidents, and there is no silver bullet.
"But you can avoid 99.5% of the easy data leakage incidents
using straightforward measures, end-user training and common sense.
The remaining 0.5% of malicious insider thefts of information
should be dealt with at the screening level."
Classifying data
However, no matter what pieces of IT kit are in place, there is
little chance of protecting sensitive information unless it is
recognised for what it is. And, surprisingly, some organisations do
not even realise who has what information where - let alone how to
classify data and protect it accordingly.
Heiser recommends dividing information into three risk levels:
high, medium and low.
"If you do not know what your high level risk data is there is
no point in paying for technology," he says. "Data loss prevention
software is only valuable to organisations that are highly
motivated."
Staff
Mathieu Gorge has seen firms even failing to notice missing
equipment when staff leave.
He says, "Data leakage prevention is even more important at the
moment because of the current economic climate.
"Because so many employees are being made redundant, there is a
lot of information leaving with them.
"In a climate where it is difficult for them to find work, they
may be tempted to take data away.
"I have seen organisations where mobile phones were not handed
back after staff left and the bill was still being paid by the
company.
"Information security standard ISO 27001 recommends companies
have to go through a checklist when staff leave - so they return
the USB keys and so on. But right now companies are so engrossed in
reducing costs that when people leave they do not go through
practices the right way."
A survey by IT security firm Cyber-Ark explores the effects of
the recession in testing employee loyalty. The survey found that
more than half of 600 employees in the UK, US and Holland had
downloaded competitive data to use as a negotiating tool for a
future post.
When considering the possibility of losing their job in the
recession, 71% said they would take private company data with them
to their next employer.
Even when employers believe data was genuinely lost and not
stolen, they still have their work cut out.
Although most misplaced storage devices containing confidential
information are likely to stay lost forever without ever reaching
the wrong hands, companies cannot take that chance.
"I do not think that huge amounts of criminal activities are
being supported through the fortuitous finding of USB drives," says
Heiser. "Most data reported lost is truly lost and there are no
consequences, but it is impossible to know for sure. There is no
way of checking."
Although criminals rarely stumble upon a lost machine containing
hordes of information by chance, companies still have to prepare
for the worst. No doubt investing in a DLP may make them feel like
they have at least made a step towards plugging gaps. And there are
plenty of solutions to choose from, as high-profile incidents have
catapulted DLP into becoming a formidable market opportunity.
The market
When the
HMRC lost 25 million records on two CDs, to the disgust of the
general public and media, it made everyone sit up and take DLP much
more seriously. It also opened the opportunity for weighty sales
pitches on the back of the disaster.
And with about 50 companies saying they are offering data
protection solutions at the London Infosec show this month, plenty
have grasped the chance.
Big players - including Symantec, which acquired a technology in
the field, and HP - have laid claim to the market along with
expanding firms, such as Credant.
The DLP market definitely has a buzz, but its sober role lies in
helping IT security managers avoid a nightmare security
leakage.
"Despite the marketing hype, some of the DLP products are not as
easily implemented as some may have you believe," said
Alldrick.
Hype can only go so far, after all. But companies need DLP
products to steer them away from information blunders
indefinitely.