The Revival of DLP
Over the past 12 months we’ve seen a large number of customers embarking on Data Loss Prevention (DLP) projects that either look to overhaul or optimise their DLP strategy. Despite the well-known complexity and difficulties that come with these projects, companies are still seeing it as a priority and challenge that needs to be addressed now more than ever. But why is this?
People want privacy
According to the Economist in 2017*, data is now the most valuable asset in the 21st century, outstripping oil (the most valuable asset of the 20th century). As individuals we experience organisations collecting data on us every day; banking, insurance, healthcare, social media, our employers and the list goes on. Thus, having control over where and when this data is used has become imperative for us all.
For the most part, we’ve seen governments and agencies recognise this and implement more comprehensive legislation that protects the public’s data and privacy. One example of this being Australia’s Notifiable Data Breaches Scheme, making businesses more accountable for reporting when they have experienced a data breach and ensuring they notify the persons affected as quickly as possible so they are able to take any necessary action.
Further to this, later this year, the Federal Government has announced there will be major changes to the Australian Privacy Act. These updates will introduce additional powers for the Office of Australian Information Commissioner (OAIC) and larger fines for organisations that are found misusing personal data. Organisations will potentially face $10million or 10% of their annual domestic turnover in fines (depending on whichever is greatest), if they are found to be misusing individual’s personal data. These updates will bring the Australian Privacy Act more in line with the General Data Privacy Regulation (GDPR) that came into effect from May 2018 (read our previous blog post here).
Most recently we’ve seen for the first time a past data breach has had a negative effect on its Moody’s rating^, with Equifax’s outlook being moved from ‘stable’ to ‘negative’ due to its data breach in 2017 and the ongoing fallout from it.
The challenges of DLP
So, as individuals are looking to companies to ensure that their personal data is protected and accounted for, how are organisations actually addressing this? Do they have visibility of where their data resides? Do they have the correct controls in place to identify critical data and to detect when data is lost or maliciously removed?
These are all questions that an organisation looks to answer but often run into hurdles, which make the process difficult and frustrating.
- It’s complicated – Companies are often battling with complex infrastructures that have a blend of legacy on-premise systems and cloud-based applications.
- It’s not classified – Classifying data within an organisation is time-consuming and difficult, but is necessary when undertaking a DLP project in order for it to be successful. Many businesses have some kind of legacy data classification structure in place
- It’s uncontrollable – Most businesses have an idea or know what controls and data loss prevention policies they have/would like to have in place but have trouble enforcing them.
So, how can organisations tackle these challenges?
Start with the basics
What data classifications does your organisation need? What makes sense to your business and what is most important? Many businesses come across hurdles when they haven’t fully understood the DLP requirements their organisation has and therefore find they are forced to use a technology that does not work for them. It is important that a thorough scope of the project is completed before a DLP or CASB solution is evaluated. Think about what your business is trying to solve and do you have the complete picture of your business-critical data before you embark on the project. Which brings us to our next point…
Speak to your stakeholders
Speaking to other stakeholders of the business such as; legal and HR, gives you valuable insight into where your business critical resides, who is accessing it and how it is used. This is invaluable for the start of any DLP project. No matter how well you think you know your company, you might be surprised at what you find when you delve a little deeper under the hood. This intel can help you determine what processes and controls need to put in place and mitigate risk across the organisation. It also means that you are able to prepare and minimise any disruption to the organisation during DLP implementation.
Phase it in
Companies will often attempt to deploy DLP solutions all at once, without taking into consideration potential business disruption. By taking a calculated phased rollout, businesses can help to minimise disruption and tackle any potential issues one at a time. Completing the deployment in phases also gives organisations to learn at each stage and make adjustments where necessary. Thus making the project progress more smoothly and gain confidence from other stakeholders and senior management.
Stay tuned for next week’s article where we’ll share how we work with our customers to assess their current DLP capabilities, by mapping their business needs against their current technology stack and giving them actionable insights into how they can improve their DLP strategy.
*The Economist – The worlds most valuable resource is no longer oil but data
^ CNBC – Moodys downgrades Equifax outlook
see our
Related resources
In today’s digital age, we all use a vast amount of information to conduct our business activities, sharing, and interacting with data across multiple devices and networks. As such confidentiality, integrity and availability are key. You only have to look at recent news headlines to realise that even organisations with comprehensive security strategies are still vulnerable to cybersecurity breaches. Vulnerabilities can lie within the technology being used, the cyber-awareness of its employees, and the sophistication of attacks.
There are images of extensive, verbose documents, complex definitions, and eye-watering Excel sheets when the term GRC is mentioned. For the past two decades, GRC has been central to core business processes across many organisations at both ends of the enterprise spectrum, as well as in the small-to-medium business space in recent times.
But the world has moved on; organisations are forced to embrace digital disruption and agility if they haven’t done so whole-heartedly. And this very disruption is positioning GRC to become less-than-ideal to solve the challenges that said disruption brings with it.
Phishing attacks have increased dramatically over the last few years, with the global pandemic escalating the situation further. Cybercriminals take advantage of insecurities and fear and play on human nature to trick and deceive. In fact, according to the OAIC, phishing attacks that involved compromised credentials accounted for 30% of all cyber incidents in the first half of 2021. And human error formed a major source of these breaches. Unfortunately, due to the clever social engineering tactics used by cybercriminals, technical filters alone aren’t sufficient to protect against phishing.
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Last month CrowdStrike released its 2020 Global Threat Report, reflecting on the past year’s cybercrime and the types of attacks and techniques criminals have been utilising. In this blog post, we take a look at the key trends from the report and what they mean to Australian businesses.
We're Here To Help