Define your data leakage prevention (DLP) policies to weigh convenience against caution, and prioritize security when sharing, monitoring and managing information
Data leakage is defined as unintentional or unauthorized transfer of sensitive information to unsanctioned outsiders. In our hyper-connected world, it happens all the time and can occur in any organization—sometimes by innocent mistake, sometimes by malicious design. And sometimes, the circumstances surrounding data leakage seem to defy common sense.
For example, in 2017, leading consumer credit reporting agency Equifax experienced a data breach exposing the personal information of 147 million people. A recent class action lawsuit against the company reveals that Equifax failed spectacularly in regard to basic data leakage protections leading up to the attack.
The company apparently used “admin” for both username and password access to a credit dispute management portal containing swaths of personally identifying information, failed to implement proper patching protocols and stored sensitive consumer data in plain text. According to U.S. District Court filings: “In addition to keeping sensitive data unencrypted in its own systems, it also failed to encrypt data being transmitted over the internet … and when Equifax did encrypt data, it left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data.”
While this data leakage example is particularly egregious (and expensive, having already cost the company $650 million), it’s by no means the only such case. And that’s why data leakage prevention (DLP) policies for every organization are essential.
Some of the most common causes of data leakage are also the most obvious: weak passwords, misaddressed email and misconfigured internal systems. The enterprise mobility movement has sparked a surge in cloud utilization, geographically dispersed teams, and bring-your-own-device (BYOD) operational models. This affords modern businesses a host of efficiency advantages and a great deal of flexibility. But it also means that a lot more potentially sensitive information is being shared and accessed among a growing assortment of personally owned and managed endpoint devices, which extends and complicates the data leakage threat landscape.
DLP policies provide organizations with a basic framework for managing this landscape and adapting to evolving data security best practices, while still capturing the benefits of enterprise mobility. Here are five DLP policy principles upon which to build a solid security strategy.
Classify: Organizations must be aware of what constitutes valuable and/or sensitive material and prioritize protection level before a DLP policy can be implemented. High-value classifications might include intellectual property, sales and/or payment data, financial data, customer data, governance or compliance data, employee tax or health data, etc. All of this information should be identified and classified to inform general policies on controls for safe data storage, access and exchange.
Observe: Monitoring the flow of sensitive information and the vectors through which it travels is foundational to DLP. It provides organizations with situational awareness, surfaces vulnerabilities and aids in detecting anomalous traffic that can indicate data leakage. Observable leakage vectors are the channels through which data flows and may include smartphones and laptops, email, collaboration software and chat tools, cloud or database storage, internal networks and the internet, printouts, USB drives, etc.
Track: In addition to observation, some form of logging aids DLP by accumulating an auditable history of data movement and access should leakage occur. You have to be able to trace what happened to remediate a problem. And logging can also aid in proactively setting or adjusting DLP policy as needs evolve, new usage patterns emerge and data classifications are added or recalibrated.
Alert: Elevating security awareness is one of the most powerful principles of DLP. In many instances, employees or partners circumventing organizational security processes or engaging in risky data-handling behavior are completely unaware of the danger. Education programs, pop-up alerts, usage option menus and automated email reminders that are generated by access to sensitive data or DLP policy violations can go a long way toward instilling a security mindset across the organization and reducing negligent data leaks.
Block: Nobody in the enterprise wants to be the gatekeeper who impedes business functions, which is a huge issue in DLP policy adoption. The fear is that too many controls on data access or movement will slow the pace of work and interfere with legitimate business transactions. However, in an age of proliferating cyberthreats, some form of blocking capability is required for effective DLP. Blocking doesn’t have to mean strict denial of access; it can involve simple authentication controls, quarantining and approval mechanisms for sensitive data transfer or automatically redacting or encrypting protected data in email.
Once More Unto the (Data) Breach, Dear Friends
To prevent data leakage, organizations have to decide how they’re going to go about sharing data, then monitor and manage that exchange. They have to weigh convenience against caution and prioritize data security, determine who is authorized to send and receive sensitive data and what can or should be sent or copied.
Much of this information can then form the basis of a technical DLP configuration schema for deploying any number of enterprise tools that automatically implement rules for monitoring and protecting sensitive data. Even so, those rules first must be defined to be enforced.
There is probably no way to completely secure data in the modern world, but there are plenty of sound ways to reduce the risk of data leakage. A basic organizational DLP policy is one of them.