Is There an Edward Snowden Type Lurking in Your Organization?
Can you afford to wait for the call revealing your data has been distributed on the internet or leaked to a competitor? A common dilemma facing organizations grappling with their data protection strategy is that DLP seems just too complicated to implement - unless you have a regulatory compliance auditor breathing down your neck. So what is the alternative? Sit back and wait for the dreaded phone call that your information has been stolen or leaked?
The concept of data loss prevention (DLP) as a solution to data theft continues to mature. It is better understood as a common control within the standard of due care as large and small organizations increase their deployments. The good news is more and more organizations have become savvy enough to avoid a “boil the ocean” approach to DLP. Instead, they’ve begun limiting the scope of deployments with a better understanding of their DLP goals in terms of time, money, people and other resource requirements.
There are two sides to the concept of DLP as a defense. The first is blocking external actors from using hacking and malware to steal intellectual property (IP) and confidential data. The second is using DLP to reduce the rate of data loss incidents through prevention policies.
DLP as a defense requires technology as advanced as the threats facing organizations today. A web gateway with traditional (i.e., outdated) defenses—such as anti-virus and URL filtering—is ineffective against targeted attacks and modern malware. Relying solely on such technology would defeat any DLP project. And when you consider that 95 percent of nation-state affiliated espionage relied on email phishing in some way, it becomes clear that both web and email gateways are avenues for data theft, and few today have adequate containment defenses or data security controls.
If DLP is already available in your existing web or email security appliance, then actually implementing DLP can be remarkably simple…especially when it is designed to train user behavior and get them to actually think before they upload company data to Dropbox. It’s remarkable how quickly user behavior changes once they understand that uploads to Dropbox or Gmail are monitored, or that company data copied onto removable storage devices needs to be encrypted. Changes happen especially quickly when employees know a notification email is dropped into their manager’s inbox. In fact you can go from zero to hero by implanting a DLP policy focused on data sets - whether they are customer lists, product launch marketing documents, industrial designs or source code - that are critical to the success of your business. This underscores the business impact of implementing a user-centric DLP policy.