In a tough economy that breeds fragile customer loyalty, one of your greatest assets is your reputation. Should your organization experience a data breach, the downtime caused and trust loss can make a major impact. And of course, there are always the direct financial consequences of lost data to worry about, too.
Writes Moti Rafalin for Wired, "According to Gartner, data loss prevention (DLP) is the fastest growing segment of the information security market, and with good reason. The confluence of on-premise, cloud, mobile and social is creating massive amounts of potentially vulnerable data that is becoming more and more difficult to control."
So, how can you tackle the implementation of a DLP program within your business?
5 Necessary Components of a Healthy Data Loss Prevention Program
There are numerous steps to creating a usable, stable DLP program. But the ability to take each step depends on your understanding of each underlying aspect of data loss — and there's a lot more to it than the security tools that so often dominate the conversation.
You've probably heard the scary statistics. Insider threats are responsible for 43 percent of data loss, half intentional, half accidental. That's why your employees are the most important aspect of your DLP.
"If I am an external threat actor and I'm going to steal information, I’m either going to physically take it (as in, steal the hardware), steal it using digital access I create myself, or somehow connect the dots through the maze and find how I can get to that information through people," says Devi Momot, CEO of Twinstate.
One common method of attack is social engineering, where an attacker directly addresses the weak link (someone within your organization) to exploit them and gain access. This attack might take the form of a maintenance worker asking for physical access to a server, or of an email from a trusted colleague's address. The possibilities are endless. Imagine, for example, you received an email from your peer that simply asked, "Are you there?" If you reply "Yes," and the email is illegitimate, you've accepted a handshake from a threat actor, giving them access to your network.
"Adversaries are taking a targeted, specific approach to fly under the radar and do exfiltration through the human component," says Momot.
Because employees are typically trusting, your people are your weak link. So people are their targets. Therefore, one of the necessary steps in your program is addressing your employees' collective and individual knowledge and attention to possible threats.
You can address that knowledge through continued, quality awareness training. Twinstate recommends that roughly 50 percent of your organization's data loss prevention time be spent in training and awareness. With this education, your employees may find out there is a slow motion crisis at hand which they hadn't thought to explore. There is a balance, though, between outright stringent fear and total obliviousness, and that's the next important component of creating a strong program.
Use healthy paranoia as your guidepost. The goal of awareness training is to get your employees thinking, so that they slow down and make good decisions about who and what to trust. The goal is not to terrify them with an overwhelming list of undetectable and unmanageable threats.
With a constant maintenance of your personal healthy paranoia and that which exists within your organization, you'll be able to better address every threat because you know what to expect, which can help you plan.
And when it comes to data loss prevention, planning is your greatest ally.
"If you do have incidents that occur...you could weather it in such a way that your customers never know about it and there is no negative financial impact," says Momot.
"You maintain the active role in a way that’s pre-planned. You already talked about continuity of operations and incident response plans (IRP), and you're prepared to have it occur so you can survive it," Momot says. "Because there's an incredibly high likelihood that you will be breached."
The success of your program will be informed by your awareness and willingness to understand the value of backup plans and IRPs, not by your willingness to turn a blind eye. Start with and maintain healthy paranoia and a definitive plan for recovery will almost certainly follow.
Latest generation of security tools
Of course, you won't be able to act on that paranoia any further than your human interactions unless you have the latest security tools and testing capabilities. Not only do your employees need to be aware, but your organization also has to have the technical tools in place to detect those subversive technological threats, like malware, especially for those instances when infiltrations do slip by your people.
"The vast amount of malware that’s being thrown into our environment is not detectable by traditional methods or environments," says Momot. "So we need to implement additional tools and sensors. A security partner can provide tools that don’t just do the visual inspection, but also look inside the environment."
A digital PET scan and your finger on the pulse
A PET scan uses a radioactive substance to look for disease in the body and show how organs and tissues are operating. You need the IT version for your network in order to form a healthy data loss prevention program. Why?
"If you have a particular server in your business with a lot of financial or technical information, or one that simply holds a majority of your data, that represents a huge loss," says Momot. "You might want to put that under a digital magnifying glass. Find out who's there, what they're doing, whether it's out of the ordinary or not."
A large percentage of data breaches are discovered months later by a third party. That doesn't allow you to manage your message. Plus, immediate attention to a breach can help reduce damage done, a task easier said than done. So your organization always needs a finger on the pulse. You should be highly aware of where your information lies and how it's being accessed, and by whom, and when.
Such heightened awareness and the ability to respond quickly to threats might require the partnership of an organization that can devote resources to these efforts full time.
Beginning DLP Program Implementation
Becoming that aware is difficult without access to the right resources. If you're ready to successfully execute awareness training, scanning, testing and planning, an investment in partnership is a wise consideration.
Too often, organizations mistake spend on security programs like vulnerability scans and penetration testing for expenses. Instead, view that spend as an investment. Consider this: Your risk exists whether or not you do something to mitigate it. But doing something is better than doing nothing.
And fortunately, in today's threat environment, highly cost-effective options for network monitoring and remediation planning do exist. Choose a partner and get started so you can reduce the risk of breaches, respond better to ones that do occur, maintain customer loyalty and of course, hold tightly to your strong reputation.
Originally published on 06/16/2016