Keep the lid on leaks

Whether accidental or deliberate, data loss causes major headaches, so a rigorous – and regularly updated – protection strategy is vital

Data leaks and losses have been with us since the earliest days of PCs in the 1980s. The good news is that solutions to data leaks and losses have also been available to PC users since the middle of that decade. As leakage and loss risks were discovered, so the industry developed an increasing range of sophisticated solutions.

However, the arrival of the internet in the late 1990s changed the game significantly and neither the best security technologies of the period nor security best practice could prevent a raft of leaks and losses.

Unfortunately for management and IT professionals in particular, Moore’s Law – the assertion by Intel’s co-founder Gordon Moore in 1965 that the power of technology would double every two years – meant that, as fast as IT departments deployed the latest data loss prevention (DLP) systems, they quickly became outmoded.

A classic example of this is the internet which, despite what many users think, actually started in the 1960s, but took until the late 1990s before mass-market acceptance of the technology meant that information sharing became a reality.

This meant that 1980s managers and IT professionals were frequently hit by data thefts and losses as a result of new technology being introduced to the office before they had a chance to analyse the technology and evolve protective systems.

Even at the start of the 21st century, IT managers were caught on the hop when the first USB sticks, known as DiskOnKeys, were imported by IBM from the Far East in early 2000.

According to Bob Tarzey, an analyst and director with IT research firm Quocirca, data losses fall into two broad categories: accidental and deliberate.

“From the point of view of the Information Commissioner’s Office, a data loss, regardless of how it occurs, is a compliance issue. But it’s important for managers to realise that if a deliberate data loss has taken place, then that data is compromised,” he says.

“Yes, there will be situations, such as the theft of a laptop from an organisation, where the data goes with the machine but, generally speaking, if the criminals are after the data [specifically], then the company it has been taken from must assume it is compromised,” he adds.

DLP can never be the whole security story. Most companies will have to view their strategy as part of a larger data security solution

To select the best DLP solution, Tarzey says that companies have to divide the data they are protecting into two categories: personally identifiable data (such as people’s information) or company data (for example, new product plans or strategies).

Once this process is completed, managers can select what level of protection they need to apply, a criterion that is further defined by the importance of the data and the business sector involved.

“For example, the finance sector will need a different type of DLP and protective system from, say, the pharmaceutical sector, where plans for new drugs could be worth a great deal of money to third parties,” says Tarzey.

This introduces the issue of compliance. If the data protection is purely for compliance purposes, then clearly you need a DLP system that meets the needs of the regulations or laws involved.

“If your data security is compliant with the required legislation, then great. But if the data that needs protecting is critical to the future of the company, then you need far greater levels of DLP and security than you would for simple compliance needs,” he says.

Even in this situation, Tarzey advises that in today’s IT-savvy business environment, DLP can never be the whole security story as most companies will have to view their DLP strategy as part of a larger data security solution.

For example, even if the data is encrypted on an IT system, there is still the risk of deliberate data losses caused by staff and allied third parties.

“The end result is that you always have to defend the endpoint as well as using standard DLP defences and encryption,” Tarzey says, adding that it almost certainly entails developing a DLP system as part of a larger, complete set of IT security defences.

“And since we’re talking about remote users here as well, you then have to choose how you handle remote users. Do you route all their data traffic, suitably encrypted, via the central IT systems, or do you allow remote users to securely handle their own traffic?”

Steve is technical editor on Infosecurity magazine. He also writes on cellular and communications matters.

Tags: , ,