Data Loss Prevention, DLP for short, is a phrase that should strike fear into everyone who does not take it seriously. And with good reason. Many companies have found themselves embroiled in legal battles, facing court cases, and even complete financial meltdown – all because their confidential data had walked out of the door. In many cases, literally.
From around 2006, companies began installing software and hardware, and implementing processes to ensure that their data was secure. Fast-forward to 2011. Is the security threat over? Are the horror stories of a company's confidential data being compromised a thing of the past? No. In fact the amount of data being lost daily has grown. In implementing DLP, most companies have missed a key and critical factor.
Meet Joe. Joe installed some very expensive software to monitor emails coming into and, more importantly, leaving his company.
Using this software, he scans for confidential data belonging to the company in the event that someone tries to leak it. At the same time, Joe installed software to encrypt data on users' laptops, and even forked out a bit more money to get some fancy software to identify and encrypt data on removable disks using an enforced policy.
Joe sleeps well at night, knowing that if anyone even tries to email or copy a file to take it outside the company, they will be caught and the threat will be mitigated.
Joe's employee printed the screen, walked to the fax machine and faxed it.
The fact of the matter is that DLP created a focus on tools, processes and hardware to secure almost every single part of the digital world - but left open one of the simplest, but most effective ways of losing data: people.
Ultimately, it will be via people that data walks out of a company. When it comes to doing something we should not be doing, humans have an inherent knack of finding a way.
But there is hope. When addressing DLP in your company, always ensure you address the 'people' aspect of that process as well. Approach it as a change of mindset in your company where employees become empowered to be responsible for their data.
Most data leakage occurs by accident. Would they leak the details of their private relationships by accident? No, because in their mind that data has a level of criticality and thus security. Educate users to view company data in the same way.
Of course, not all leaks are due to error, some are the result of malicious intent. In this case educate users on the consequences of leaking confidential data. Additionally, train employees to spot potential data leakage by others.
It's not about promoting a culture of suspicion, it's about promoting a culture of shared responsibility and accountability for what they see happening around them. It's about putting people back in the process, not just tools. Data in its simplest form is the cornerstone of business.
And people are the other cornerstone. Create an understanding of one by the other and the link between them will mean something more than just numbers on a disk.
Only by properly addressing the 'people' aspect, will DLP truly become the composite and holistic approach to securing data that it was always intended to be.
Dimitri Fousekis is a security architect for one of the largest mobile telecoms providers in Africa.
This was first published in January 2011