All data is important to an agency, but some data is clearly more important -- and more valuable. For organizations that handle and need to protect financial data, personally identifiable information such as Social Security numbers, medical information, intellectual property and top-secret files, the stakes involved in safeguarding their information assets can be extremely high.
Fortunately, agencies can help stem the flow of data leaks by incorporating data loss prevention tools into an overall security strategy. These tools rely on identification, monitoring and response technologies to locate and block confidential data from exiting the enterprise -- whether done by accident or design.
The Cost of a Breach
According to a 2010 annual study by Symantec and the Ponemon Institute, the average organizational cost of a data breach is now $7.2 million, and the average cost per compromised record is $214. Those costs involve regulatory fines, a requirement to pay for ongoing credit monitoring for data loss victims, lost customers and diminished reputation.
Unfortunately, organizations lose data frequently, and most of this loss is self-inflicted. In fact, according to Symantec, about 75 percent of all data loss occurs because well-intentioned insiders don't understand how to handle confidential data and inadvertently expose sensitive data through careless use of day-to-day tools, such as e-mail, the web and USB drives.
It's easy to see how the risk of a data breach is now greater than ever. Unlimited access to the Internet coupled with unprecedented mobility and more access to networks have changed the security landscape. Today organizations faces a wide-open world, in which information can be easily shared and accessed anytime and anywhere by employees, partners, consultants, outsourcers, and others.
A Key Piece in the Security Toolkit
What is the No. 1 priority of chief information security officers today? Data security, says Andrew Jaquith, an analyst for Forrester Research. And that's a major reason why data loss prevention is one of the few budget line items to show steady growth in the largely flat security market.
In a 2010 Forrester survey of 1,031 IT decision-makers in the private sector, 15 percent of respondents said they had already deployed a DLP solution, 12 percent had plans to implement DLP and another 36 percent were interested in doing so.
"Data security trumped disaster recovery, identity and access management and regulatory compliance," Jaquith wrote of the survey results. "Unlike tangible assets, such as bricks, mortar and wheelbarrows, digital information is fungible, duplicates itself with zero marginal cost and can move in the blink of an eye."
Over the past decade, enterprises, to their benefit, have increasingly leveraged IT tools, networking and remote-access technologies to significantly improve communications, productivity and mobility. But that has proved a proverbial double-edged sword, as agencies have also inadvertently increased the risks of data loss.
The Right Solution
A DLP solution is not a panacea for security challenges, but used in conjunction with other security and risk-management tools and policies, it provides a critical layer of protection. Unlike most tools, which are designed to look at how information is flowing, DLP offers "content-aware" visibility.
"It's like having someone read every outbound e-mail or document to make sure that nothing inappropriate is being done with a company's most important data," says Robert Hamilton, senior product marketing manager at Symantec. "Of course, you'd need an army of people to do that. And so that's why DLP was invented.
This capability allows the enterprise to tie the tool directly to their internal security policies. If company policy dictates that Social Security numbers or data related to a specific initiative needs to be safeguarded, for example, a DLP solution can be programmed to analyze the content for keywords, text patterns, regular expressions, partial document matching and fingerprinting that indicate that type of data.
The number of DLP solutions on the market has been rising steadily over the past few years, and there is plenty of variation. DLP generally comprises three broad categories:
- Network protection: This module monitors and analyzes data in motion and typically looks at e-mail, instant messages, FTP sites and websites.
- End-point protection: This monitors PCs, workstations and mobile devices while in use. This solution can catch e-mail messages and instant messages before they're transmitted and stop users from saving files to removable media devices such as USB drives.
- Storage protection: This solution monitors data at rest in databases or other storage devices.
John Yun, a senior product marketing manager for Websense, one of the leading DLP manufacturers, says that organizations can buy "a little DLP," meaning they can opt for a specific-channel solution that focuses on, say, e-mail or the web (sometimes referred to as DLP lite) or a full-blown comprehensive solution that covers all broad categories.
Deciding which solution is right depends on these factors:
What types of data needs to be protected? Is it regulated? Who uses it and how? This exercise should be done up front long before the company starts researching products.
What scenarios are supported in day-to-day operations? Are there a lot of remote workers, or do most work at corporate offices using company desktops? Do employees take their work home with them, or do they use notebook computers at airports or coffee shops? Do employees rely frequently on cell phones for corporate communications and e-mail? Answering these questions will help determine the optimal DLP solution.
What's the value to the organization? Agencies need to look at the security tools they have in place and decide what DLP will bring to the table, given the data involved and the risk that would be incurred in the event of data loss.
What's the usability? DLP solutions come in a variety of flavors and involve a variety of technological requirements, with some being available through a simple download and others requiring installation on a large number of servers. The chosen solution should align with the company's capacity for complexity and its IT resources.
Depending on the coverage required and the number of employees involved, a DLP solution can represent a hefty investment, Yun notes. However, he adds, smaller agencies or those concerned about the cost can wade into the market slowly by starting with a channel-specific solution.
However, he says, companies should make sure they invest in a solution that is extendible; one that allows, if necessary, the addition of channel-specific modules or a move to a full-blown enterprise solution.
Conversely, choosing a full-strength DLP solution has its advantages. An organizationwide view of all data enables continuity of policy enforcement across the entire DLP effort, for example.
And because these types of solutions can integrate content discovery on the network (such as identifying organization-controlled credit card numbers or files containing sensitive data stored in the wrong location) with scanning of outbound traffic (typically combined with outbound web proxy), it's a lot less likely that any data will seep out undetected.