Protecting essential information such as intellectual property and customer data is critical for businesses of all sizes and when one considers the financial and legal ramifications resulting from a data breach, it’s clear that even smaller organizations can’t afford to forgo data loss prevention (DLP) solutions.
But some critics erroneously claim that DLP solutions are too difficult or expensive for small and medium-sized businesses (SMBs). Much of the confusion and expense in deploying DLP is the result of a flawed approach.
The key to a successful implementation of a DLP solution for an SMB is to do it right the first time. This article examines the steps to achieving a successful DLP solution implementation for small and medium-sized businesses.
Many SMBs deal with the same regulatory compliance demands as large enterprises such as the Health Insurance Portability Accountability Act (HIPAA), Payment Card Industry (PCI) standards, Sarbanes-Oxley compliance, state laws governing the protection of individuals’ personally identifiable information (PII) – and the list gets longer each year.
Couple these mounting compliance requirements with the fact that employees are increasingly mobile; connecting to the network via PDAs and Blackberry’s; carrying laptops to the local coffee shop; and using unsecured wireless Internet connections. Employees even copy company data to USB drives and iTouches, which can easily be lost or stolen, to review while off-site. All of these common business practices can increase the risk of a data breach.
Though small to midsize organizations may think they lack the financial or technology resources to implement a full-scale DLP rollout, deploying an effective DLP solution to protect essential information at a manageable cost of ownership can be easy if they follow the following four key steps:
Four Steps for Data Loss Prevention at Midsize Organizations
Step 1: Determine how important data loss prevention is in comparison to other security concerns by asking the following questions:
- What regulations must we comply with that involve confidential data?
- Do we know where all copies of our confidential data is stored?
- How is that information being used and shared inside and outside our organization?
- How do our employees exchange critical data with business partners and customers, and is it secure?
- What would happen to our business’ sales, customers and reputation if a data breach occurred?
These are just a few questions that should be asked to understand how important data loss is to an organization.
Step 2: Define what data is deemed sensitive
Once data protection is deemed a priority, the second step is to define what exactly constitutes sensitive data for the business. The definition of sensitive information can vary greatly across industries and organizations.
It can include customer lists, company financial data, trade secrets, marketing plans, employees’ personal information and more. Protecting information will not be the same for a local credit union as at a mid-size retail chain.
Therefore, it’s critical that organizations review all functional areas including legal, finance, human resources, marketing and others to help identify sensitive information.
Step 3: Determine where the primary point of data control should be: at the endpoint, the network or data discovery – or a combination.
Now comes the time to consider what type of DLP solution is right for the organization. There are various offerings available today, promoting many different approaches to data protection. One way to narrow the list is to determine where the primary point of data control should be: at the endpoint, the network or data discovery – or a combination.
For many businesses, the appeal of endpoint technologies is the ability to protect intellectual property from theft or unauthorized dissemination – such as preventing someone from downloading the customer list onto a USB drive and walking out the front door.
In contrast, the value of network and discovery solutions lie in monitoring how information is used within the organization so management can identify and correct faulty business processes, prevent accidental disclosures of sensitive data, and provide reports demonstrating compliance during audits.
A network-based approach is the most common starting point and often the easiest to integrate with existing network security technologies. Many midsize businesses choose to begin with just data discovery to understand where their sensitive data exists and determine their level of risk.
Step 4: Select the right DLP solution
Once it’s decided whether to begin on the network, endpoints or data discovery, the final step requires researching and evaluating competing solutions. Take advantage of the readily available research in published analyst reports to identify viable vendors and understand product capabilities.
Here are key criteria to consider when evaluating technologies:
- Flexibility – Data loss prevention solutions offered in a modular approach, such as separate modules that can be purchased for data discovery, monitoring data and protecting data can be more affordable for midsize businesses. By beginning with one primary point of data control the cost of the DLP solution can be managed while not compromising on the quality of the solution.
- Detection Accuracy – One aspect of quality that is particularly important is detection accuracy. A solution with a high level of accuracy will lower the cost of ownership by limiting the amount of false positives and thus reducing the amount of time spent administrating the system. Look for solutions that provide accurate fingerprinting and advanced pattern detection techniques. Make sure it can accurately detect and classify not only structured data such as credit card numbers, but also unstructured data such as source code or intellectual property.
- Policy Framework – For an effective DLP implementation, choose a solution that can intelligently map data policies to your organization’s business processes. Solutions that understand the context around “who” is using the data, “how” they are using it and “where” they are sending it enable businesses to enforce protection policies for even the most complex forms of data. For example, an employee in the finance department should have the ability to send confidential financial information to certain people or places, but not post it somewhere in the blogosphere.
- Solution Coverage – DLP solutions should provide monitoring and enforcement across a broad array of communication channels including e-mail, Web, printers, instant messaging, peer-to-peer, streaming media, and others. Look for solutions that can scale to discover, monitor and protect all forms of data across both the network and endpoints like desktops, laptops, USB drives and printers.
Ultimately, every organization – irrespective of size – must protect the information that is essential to its business.
A single data breach can have lasting repercussions. The good news is even midsize organizations can affordably mitigate risk of data breach with the right combination of data protection policies and data loss prevention technology.
David Meizlik and Stephen Brunetto are product managers for Data Security Solutions at Websense | DLP – Blog www.ondlp.com