Is Data Loss Prevention Really Possible?

A friend and I were debating whether it is really possible to prevent data leakage? Personally I think it’s impossible to know an organisation’s rate of data leakage.

One of the problems is that the easier it is to copy data then the harder it is to control. I recall that back in my military days we had a process to manually log all signals classified as restricted or secret that came off the teleprinter, record each and every copy that was made, and identify to whom those copies had been distributed to. Each recipient down the line would have been required to do the same. Even with such tight controls in place, the documents would still get mislaid and go missing. And goodness only knows how many copies were really being made and of those copies how many were being logged.

In the corporate world data is completely out of control. I don’t think we can stop data leakage and the only way that we can have influence on the likelihood of it occuring is through a couple of fundamental controls, namely

1. Reduce and limit access to data

2. Control the “copyability” of data

That’s all fine if the data is stored within systems that provide suitable controls but it’s actually more likely to be in spreadsheets or other office document formats, on XML data streams, sitting in an email, in the fax machine, or on a forgotten print-out that went to the wrong printer on the wrong floor. It’s also sitting on systems that we don’t own belonging to the third parties we entrust to store our data. What do we know about the processes they have in place? We really have lost the game and the increasing number of data leakage incidents prove it. I’m sure that most, if not all, of the organisations we see being reported as having suffered a data leakage have processes in place that are supposed to prevent them from happening.

One of the errors we make is that we place emphasis on deliberate and malicious data theft while the reality is that most of it is accidental. And all we generally do to prevent accidental data leakage is stick up a few posters now and again that have inane captions on them such as “think before you click.” Click what?

Investment in technical controls (to monitor and prevent data being copied and printed) together with an eye-catching and relevant security awareness program are, I think, the most effective ways to mitigate risks associated with data leakage. There are also process based controls that need to be managed such as ensuring that the right levels of access are being granted to the right people, and of course, using encryption for data when it’s on mobile devices.

All that said, we also need to plan for when the incident happens. Let’s assume the worst and ensure that when it happens we’re ready for it and have the right people putting out the right messages.