Our businesses use an ever-increasing amount of data in their day-to-day operations. We use, collect, and share data for everything from accounting to marketing and customer communications. This data then flows in and out of our organisations to remote workers, partners, customers, and more. What’s more, a lot of the data we hold can be either extremely valuable, intellectual property, regulated or highly sensitive such as personally identifiable information which must be protected by law. This is where Data Loss Prevention Best Practices comes into play.
Data Loss Prevention (DLP) as a concept is a set of policies, practices and solutions that aim to prevent sensitive information from being lost, misused or accessed by unauthorised users. DLP strategies not only aim to protect against external threats but internal risks such as human error and accidental deletion of data.
DLP software uses rules to find and classify data so that levels of risk can be established. It is then possible to put extra layers of protection in place where needed. Moreover, DLP technologies can automatically detect anomalous behaviour, identifying violations of policies, and triggering responses, such as alerts and encryption.
With data breaches hitting the headlines on an almost daily basis, we are only too aware of the costs. Not only financially damaging, when a data breach hits, it can also have a major reputational impact.
We must safeguard our data not only as it is a legal requirement, but to ensure it doesn’t end up in the wrong hands. A wave of strict data protection regulations worldwide, such as the EU’s General Data Protection Regulation (GDPR) and Australia’s Notifiable Data Breaches Scheme, have made businesses even more accountable for the data they collect and process, with significant fines for non-compliance. However, keeping track of such a huge volume of data and gaining visibility can be a significant challenge, especially when multiple platforms, applications, and services are used simultaneously on many devices. This is where DLP solutions come into play.
DLP solutions form a major part of an organisation’s data protection strategies. They use technology to identify, monitor and analyse the storage and movement of data. However, they also do so much more, technology being only one component of an effective DLP strategy. Some of the best practices every company should be using include:
Implementing a Centralised DLP Program
While most organisations realise the importance of DLP, it is often implemented in an ad-hoc fashion with various departments and teams doing their own things. When this happens, it is almost impossible to gain a holistic view of the organisation’s data assets, and a lack of visibility inevitably leads to weak data security. Organisations should implement a centralised DLP program to ensure that it is relevant to the whole business and its employees.
Conducting an Inventory Assessment
Before an organisation can protect its sensitive data, it needs to know what data it owns, where it is, and how it is stored. Data that is shared directly with customers or moves in and out of endpoints will be higher risk than data which resides in one secured area. Firstly, organisations need to evaluate the types of data they hold and the relevant value to the business. They then need to classify the data to determine whether it is sensitive, such as confidential information or intellectual property. Finally, they need to determine the level of risk and cost associated with the data, should it be compromised. Every industry’s regulatory code will be a good starting place for designating and classifying its information.
Establishing Data Handling and Remediation Policies
Once data has been classified accordingly, businesses should determine what users are permitted to do with it. This will include;
Policies may dictate blocking sensitive data from being transferred via unsecured channels, limiting how sensitive data can be sent to via email, and deleting or encrypting sensitive data on unauthorised computers. Government regulations, such as HIPAA or GDPR, will be in place for how certain categories of data should be handled. Policies and pre-configured rules should be enforced across the organisation, including a remote working policy with DLP tools that will work outside of the company network.
Setting Various Levels of Authorisation
Not only can sensitive data be stolen, but it can be accidentally overwritten or deleted by employees. Access management is vital to ensure that only authorised people have access to data within an organisation. Access to sensitive data should be limited to those who genuinely need to use it, depending on their roles and responsibilities. Authorisation should also be implemented based on devices, blocking USB and peripheral devices, or for example, implementing enforced encryption. DLP tools should enable organisations to set up different levels of authorisation based on users, devices, groups, or departments.
Investing in Educating Employees
Employee awareness and education should form a vital part of a successful DLP program. This should include the likes of classes, online training, and emails to not only educate but to continually reinforce the message. With a regular training program in place, employees will have a better understanding of the importance of data security and the role that they play in that. Training can also be designed to address any blind spots in employees’ data security practices with real-life examples. And, in some instances, penalties for breaching data security can also be used to improve compliance.
Having the right technology, tools, and processes in place is vital to your DLP program delivering on its promises. You need visibility of the types of data your organisation holds, and its movement across your business in order to create a well-planned strategy and deploy it successfully.
Infotrust has teamed up with cloud security partner, Netskope to help businesses with this problem. Infotrust and Netskope are offering a free, complimentary workshop to show organisations how they can gain greater visibility of their data, assets and applications in order to protect them more effectively.
Contact Infotrust today to find out more and set up a cloud risk workshop.
