Is Data Loss Prevention Really Possible?

A friend and I were debating whether it is really possible to prevent data leakage? Personally I think it’s impossible to know an organisation’s rate of data leakage.

One of the problems is that the easier it is to copy data then the harder it is to control. I recall that back in my military days we had a process to manually log all signals classified as restricted or secret that came off the teleprinter, record each and every copy that was made, and identify to whom those copies had been distributed to. Each recipient down the line would have been required to do the same. Even with such tight controls in place, the documents would still get mislaid and go missing. And goodness only knows how many copies were really being made and of those copies how many were being logged.

In the corporate world data is completely out of control. I don’t think we can stop data leakage and the only way that we can have influence on the likelihood of it occuring is through a couple of fundamental controls, namely

1. Reduce and limit access to data

2. Control the “copyability” of data

That’s all fine if the data is stored within systems that provide suitable controls but it’s actually more likely to be in spreadsheets or other office document formats, on XML data streams, sitting in an email, in the fax machine, or on a forgotten print-out that went to the wrong printer on the wrong floor. It’s also sitting on systems that we don’t own belonging to the third parties we entrust to store our data. What do we know about the processes they have in place? We really have lost the game and the increasing number of data leakage incidents prove it. I’m sure that most, if not all, of the organisations we see being reported as having suffered a data leakage have processes in place that are supposed to prevent them from happening.

One of the errors we make is that we place emphasis on deliberate and malicious data theft while the reality is that most of it is accidental. And all we generally do to prevent accidental data leakage is stick up a few posters now and again that have inane captions on them such as “think before you click.” Click what?

Investment in technical controls (to monitor and prevent data being copied and printed) together with an eye-catching and relevant security awareness program are, I think, the most effective ways to mitigate risks associated with data leakage. There are also process based controls that need to be managed such as ensuring that the right levels of access are being granted to the right people, and of course, using encryption for data when it’s on mobile devices.

All that said, we also need to plan for when the incident happens. Let’s assume the worst and ensure that when it happens we’re ready for it and have the right people putting out the right messages.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Stuart: I have to ask whether you consciously mixed terms between the title of your article and the body. Specifically, you asked in the title if "Data Loss Prevention [is] Really Possible?" but in the body you asked if it " really possible to prevent data leakage?" In my opinion, these are two different issues, albeit with some degree of subtlety. I'm interested in your position. Rather than color your answer, I'll respond after you do... Do you consider loss versus leakage different? /Hoff
Is There a Difference Between Data LOSS and Data LEAKAGE Prevention? I was reading Stuart King's blog entry titled Is Data Loss Prevention Really Possible? Besides a very interesting and reasonable question to ask, I was also intrigued by a differnce I spotted between the title of his article and the
Thanks for the comment. I don't see an issue with mixing the terms - just a different way of saying the same thing. "Data loss prevention" seems to be becoming the new bandwagon term. What do you think?