Stamp out data loss

Data loss prevention (DLP) technology has plenty of hype blowing its sails, but it is also being carried along by a serious undercurrent. Organisations have no choice but to follow its drift - they have to take it seriously. UK watchdogs the Information Commissioner (ICO) and the Financial Services Authority will come down hard with fines, not to mention possible public humiliation if slack security policies lead to data loss.

Data loss prevention (DLP) technology has plenty of hype blowing its sails, but it is also being carried along by a serious undercurrent. Organisations have no choice but to follow its drift - they have to take it seriously. UK watchdogs the Information Commissioner (ICO) and the Financial Services Authority will come down hard with fines, not to mention possible public humiliation if slack security policies lead to data loss.

And the more constructive and preventative steps taken now, the better, experts believe.

Unless firms and other organisations are seen to be plugging the leakage of information, they will bring greater policing on the industry as a whole, fears Marcus Alldrick, head of information protection and continuity at Lloyd's of London.

"People cannot ignore what the Information Commissioner's Office (ICO) says about protecting laptops," he says. "If it carries personal information then it is expected to be encrypted. Unless organisations take on responsibility for protecting information then they will get prescribed legislation to keep them in check. "Every organisation needs to look at leakage channels."

Alldrick has come up with some basics that are in danger of being overlooked, including making sure disposed office furniture drawers are clear of electronic devices or paper.

His tactics focus on making security of benefit to the business. Another example is requiring an employee to walk to a printer and enter identification before receiving print-outs, which is one simple way of keeping confidential data away from prying eyes.

"This does not just have a security benefit," he says. It makes people think before printing so less paper is wasted along with toner, ink and so on. "I am also talking about confidential waste being separated out from other paperwork, these things are not difficult."

His firm tackles information leakage through a number of methods. Networks are segregated for Lloyds Corporation, the market, and outside network. Agents on each endpoint machine mean it is possible to immediately spot if a foreign device has connected to the network. Encryption and control of USB ports on all laptops is also underway.


He says organisations must consider whether they need widespread or targeted encryption.

"Not everybody in an organisation will have access to confidential information so is a one-size fits all solution needed?" he asks. "A lot of companies are going for it because it gives them assurance that every laptop is encrypted.

"Firms should also look at encrypting USBs, CDs and memory sticks if they contain sensitive data. The same applies to back-ups."

Such is the fear of repercussions for organisations in the event of losing sensitive data that the day could arrive when a laptop without encryption is rare.

"I have seen a huge increase in demand for encryption technologies," says director of Vigitrust consultancy Mathieu Gorge.

Digital rights management

Other non-obvious technologies can also play a part.

Digital rights management (DRM) - traditionally used in preventing music piracy - could be turned upside down for the alternative purpose of secretly sharing information, says Gartner research vice-president Jay Heiser. And he says some organisations are already making use of it to do just that.

"There are lots of ways to control data on other people's desktops, such as enterprise DRM," he says.

"It is awkward to use but offers a great deal of potential for the secure sharing of data. DRM has been used for situations (in the music industry) where the inconvenience outweighs the benefits.

"Citrix is another option. It allows designated users to look at data, but not save it."

Keeping contractors under control is an ideal use.

"Outsourcers are using Citrix or virtualisation to access information through a controlled environment," he says. "There are a lot of really interesting experiments going on.

"With this approach, people will not automatically expect to download data to a hard drive and do what they want with it."


Heiser believes sloppy storage of prized information on laptops will be resigned to the past.

"It is not going to be the case where we allow widespread storage of personal data on laptops and data sticks," he says.

"We expect laptop and hard drive encryption to become ubiquitous."

Organisations can rely on encryption and port control to take care of the two most common channels for information loss, according to Edy Almer of Safend, which specialises in data leakage.

"They both cover the two most common leakage vectors - copying to external devices, and loss of devices/machines," he said.

The next on the list should be e-mail and web filtering products, which offer protection from web and e-mail leakage. "It is definitely possible to plug leakage but you can never avoid 100% of incidents, and there is no silver bullet.

"But you can avoid 99.5% of the easy data leakage incidents using straightforward measures, end-user training and common sense. The remaining 0.5% of malicious insider thefts of information should be dealt with at the screening level."

Classifying data

However, no matter what pieces of IT kit are in place, there is little chance of protecting sensitive information unless it is recognised for what it is. And, surprisingly, some organisations do not even realise who has what information where - let alone how to classify data and protect it accordingly.

Heiser recommends dividing information into three risk levels: high, medium and low.

"If you do not know what your high level risk data is there is no point in paying for technology," he says. "Data loss prevention software is only valuable to organisations that are highly motivated."


Mathieu Gorge has seen firms even failing to notice missing equipment when staff leave.

He says, "Data leakage prevention is even more important at the moment because of the current economic climate.

"Because so many employees are being made redundant, there is a lot of information leaving with them.

"In a climate where it is difficult for them to find work, they may be tempted to take data away.

"I have seen organisations where mobile phones were not handed back after staff left and the bill was still being paid by the company.

"Information security standard ISO 27001 recommends companies have to go through a checklist when staff leave - so they return the USB keys and so on. But right now companies are so engrossed in reducing costs that when people leave they do not go through practices the right way."

A survey by IT security firm Cyber-Ark explores the effects of the recession in testing employee loyalty. The survey found that more than half of 600 employees in the UK, US and Holland had downloaded competitive data to use as a negotiating tool for a future post.

When considering the possibility of losing their job in the recession, 71% said they would take private company data with them to their next employer.

Even when employers believe data was genuinely lost and not stolen, they still have their work cut out.

Although most misplaced storage devices containing confidential information are likely to stay lost forever without ever reaching the wrong hands, companies cannot take that chance.

"I do not think that huge amounts of criminal activities are being supported through the fortuitous finding of USB drives," says Heiser. "Most data reported lost is truly lost and there are no consequences, but it is impossible to know for sure. There is no way of checking."

Although criminals rarely stumble upon a lost machine containing hordes of information by chance, companies still have to prepare for the worst. No doubt investing in a DLP may make them feel like they have at least made a step towards plugging gaps. And there are plenty of solutions to choose from, as high-profile incidents have catapulted DLP into becoming a formidable market opportunity.

The market

When the HMRC lost 25 million records on two CDs, to the disgust of the general public and media, it made everyone sit up and take DLP much more seriously. It also opened the opportunity for weighty sales pitches on the back of the disaster.

And with about 50 companies saying they are offering data protection solutions at the London Infosec show this month, plenty have grasped the chance.

Big players - including Symantec, which acquired a technology in the field, and HP - have laid claim to the market along with expanding firms, such as Credant.

The DLP market definitely has a buzz, but its sober role lies in helping IT security managers avoid a nightmare security leakage.

"Despite the marketing hype, some of the DLP products are not as easily implemented as some may have you believe," said Alldrick.

Hype can only go so far, after all. But companies need DLP products to steer them away from information blunders indefinitely.

Read more on IT risk management