2 years ago - Blog Posts
Data loss happens every day. Whether it’s a high street retailer like TK Maxx, gaming giant Sony, or even the Department of Work and Pensions; the loss of sensitive data is endemic.
The reality is that, as more of our crucial information and systems go digital, the higher the risk of data loss or theft. Either through accident or targeted attacks by criminals, some data will be lost and potentially used for some unintended purpose. Gethin Jones, Senior Security Engineer at Check Point Software Technologies Ltd offers some useful advice on data loss prevention
Looking at the names of some of the high profile victims of data loss, it is worth remembering that there are tens of thousands incidents that never reach the public gaze. In some cases, the victim(s) are simply unaware that something has happened. Or worse that it’s still happening and nobody has noticed!
To gather some basic agreed terms. Data loss is what happens when sensitive information is exposed by an organization without owner’s permission and often in breach of a legal requirement of care. This can include personal information such as name, address, national insurance number, driving license, passport details, bank account details and a whole host of other data. This information can be used for activities such as fraud, identify theft or even areas such as blackmail, as in the incident at Ashley Madison, an adult dating service that specialised in married users that was breached last year.
Prevention is vital
Data Loss Prevention (DLP) is a broad catch all term that denotes technology and best practice processes that can reduce the risk that data falling into the wrong hands. DLP aims to combat the two main causes of data loss, of which the one of the most likely causes is still, human error. This can be as simple as sending out a critical spreadsheet to the wrong email address or losing USB sticks or laptops that contains sensitive information. Human error also includes basic cyber security bad practice such as disabling security controls to make system access easier, sharing passwords amongst groups or installing unapproved software on systems. Cyber-attack is the next most common cause and this can range from a corrupt employee stealing data from within to external hackers that look for an IT vulnerability to exploit that allows access to an organisation’s computer systems and databases.
Although it seems that data loss incidents are constant, there are a number of steps that every organisation both big and small can take to dramatically reduce the risk. These DLP strategies are formed around three key areas namely technology, process and people.
No magic bullet
Let’s have a look at the technology involved. No technology is going totally secure, no matter what you are told. I've worked in the security sector for 20 years, which has made me realise that there is always a security hole somewhere, no matter how small, even if it's just unprotected access to the air conditioning system.
Reliable technology well implemented and continually updated will dramatically reduce risk of accidental data loss and successful cyber-attacks but nothing is 100%. In the case of the latter, tougher security will simply make criminals look for somewhere else that is easier to breach, of which there are ample targets. Yet technology is always a fundamental starting point and a good recommendation is to look for a vendor and technologies that are dynamic as the threat is constantly changing.
Create a guideline
Next up are processes. This is a big concept but covers how you run your organisations and systems in a manner to make data loss less likely. For example, do you regularly copy sensitive data on removable media like DVD and USB devices? Do you use shared passwords for critical systems? How often do you review who has access to which systems? Do you encrypt data that sits on your servers or within databases? The list of process related questions can stretch on but essentially, organisations need to run secure processes to get the best out of any security system. Organisations of every size should have a basic data loss prevention strategy which is often part of best practice IT security guidelines. Technology can help automatically enforce some of these policies and make security best practice less of a burden on workers.
Partnership and people
Lastly, the most important element is people. There is a vast area of IT security technology that can help secure data which include areas like anti-virus, content inspection, access management and a whole host of new analytics and forensics technologies that can spot unusual activity to help ring the alarm when something bad maybe happening. This is then flagged for a more detailed inspection. Yet to get these systems to work within secure processes you need employees that are security aware. This includes well trained internal staff, supported by security experts like ANSecurity, that can ensure that the technology is appropriate for the level of risk, installed and configured correctly and maintained to meet the ongoing threat.
It may be easy to think that like a lottery win, it will never happen to your organisation. But in the same way that you set the alarm last thing at night or lock your car when you park in the local supermarket car park; there are groups out in the real world that are constantly targeting data. Data Loss Prevention can be as simple or as comprehensive as you want to make it, but the first step is always recognition that you need to do something. If you don’t, it’s your name in the papers or your switchboard lighting up with calls from customers or suppliers asking what happened to their data! A data loss lottery that you really don’t want to win!