DLP useless when companies fail to classify data

British companies are still failing to take simple steps to protect valuable data – mainly because they have still not classified which information is the most sensitive.

British companies are still failing to take simple steps to protect sensitive data – mainly because they have still not worked out which of their information should be protected and who should have access.

A poll of 250 companies by security firm Integralis AG probed attitudes to information asset management, and found that only 38 per cent – after being given a series of choices – defined part of information asset management as "ensuring that users are only able to access the bare minimum of information they are authorized to see and use." Most of the professionals surveyed felt their role was merely to structure information storage correctly and ensure smooth transfer of data.

The survey confirmed what many consultants at Integralis had suspected, as managing director Graham Jones explains: "We had been approached by several vendors of DLP (data leakage prevention) products, but when I mentioned this to my consultants, they burst out laughing. 'What are companies going to protect?' they asked. [DLP products] can protect data with credit card numbers in it or anything that is tagged as confidential, but they said that most companies don't have any policy for managing their information assets."

The impression was backed up by other experts. Jamie Cowper, European head of marketing for encryption company PGP Corp., said: "Parts of government have done a good job on data classification, but most companies have not done any at all."

He said some companies were now tackling the problem by enforcing encryption in certain applications, or by file type; for instance, a spreadsheet could always be encrypted as a matter of policy. In other cases, Cowper said encryption was turned on automatically for anything generated by an individual user or a department.

But he admitted that most encryption purchases are prompted by events, such as a high-profile data loss, and are often bought by a department for its own needs, a decision which can lead to companies having several encryption systems and keys to manage.

"Encryption is the easy part, but you need to be sure you can decrypt it, too. Good key management and policies are essential," added Cowper. "You must have centralised management of the keys – if you need to keep information for many years, you may need to re-encrypt and move to different media types."

Alaa Owaineh, a security analyst at research firm Datamonitor plc, said most companies tend not to get round to classifying data, or implementing any kind of role-based access control. "The effort involved is huge, and the few deployments of role-based access control have not really achieved very much," he said. "There is no established best practice, and nobody really knows how to do it."

He described DLP as a "kneejerk reaction" to a problem that had not been properly analysed.

The consequences of failing to classify data, and control who accesses it, are magnified by the proliferation of mobile devices. A recent survey by database technology provider Sybase Inc. found that 80 per cent of business mobile devices contain potentially sensitive business information, but only 26 per cent of companies deployed any form of encryption.

"In most cases, organisations leave it to users to undertake security tasks on their mobile data," said Mike Oliver, a marketing director for Sybase. "You can't leave it to users to ensure security, it's not their job."

* A separate survey by nCipher (recently acquired by Thales Group) found that even when encryption is implemented, many organisations fail to encrypt back-up tapes. Bryta Schulz, VP marketing for Thales Information Systems Security, said tapes were often left unencrypted deliberately, so that if encryption keys were lost, companies could at least access the backups.

Read more on Privacy and data protection