DLP, Prevention is Better than a Cure Date:   Wednesday , October 06, 2010 Data loss occurs every day through corporate email. In fact, given the sheer number of emails an organization sends every day, data loss incidents via email are bound to happen easily and frequently. Common email mistakes include auto-filling the wrong email address, attaching a different file than the one intended, or sending out sensitive data that really shouldn’t be emailed. Anyone within an organization could potentially cause a data breach, at any time and in a matter of seconds. What’s even more worrying is that employees may not actually realize what they’ve done until after the email has been sent. Unfortunately, it sometimes only takes one such incident to damage a businesses’ reputation and result in loss of customers. Protecting People against Their Mistakes A CSO from a large organization recently confessed to me that a substantial part of his time is spent trying to protect users from their own mistakes. This was no surprise to me. When it comes to securing a key business tool such as email, companies should think about educating employees even before deploying any technological net. Our research found that about 90 percent of data loss incidents are unintentional errors, with no malicious intent. Most of the time, such incidents happen quite innocuously and result from very simple actions, such as an employee sending a file to their personal Web mail account, so they can work on the document from home. Although the employee has good intentions, such practice is often against corporate policy and could turn into a data breach for the company. The majority of data loss is caused by employees’ simple mistakes, with no malicious intent, so why not give them more responsibility to help avoid future leaks? So, how can businesses efficiently prevent data incidents from happening? Involving individual employees in the corporate security process is the only viable approach to avoid data loss incidents. It is also the only way to turn a DLP solution into a truly preventative tool - as opposed to a reactive tool. For businesses, proactively educating users about the potential security issues that can arise from seemingly innocuous actions, like sending an email and reinforcing their overall DLP awareness, will provide the first and ultimate shield against data breaches. Let’s take a closer look at this user-focused approach to DLP and how it could work. Taking Control First of all, in order to increase the user awareness, an effective DLP solution will alert the user before they can send a suspicious email that may cause a loss incident. Let’s take the scenario of an employee who has composed an email, addressed it, and clicked on the ‘send’ button. A useful DLP solution should analyse the body of the email with its attachments compared with a set of pre-defined characteristics to identify potentially sensitive data. This could include, for example, certain key words in the email body text such as ‘financial’, ‘report’, ‘specifications’, ‘confidential’, and so on. In addition, file types such as spreadsheets or presentations with financial data, confidential records, or even some strategic material may need to be carefully scrutinized. Once the DLP solution detects a potential breach based on this analysis, it will override the ‘send’ instruction and present the user with a pop-up alert to inform them of the potential data loss and ask how they wish to proceed. The user will have to decide whether they: a) want to send the email and its attachment(s) as it is; or b) realise that they have made a mistake and correct the body text or remove the suspicious attachment(s). There should also be the option for the user to leave a brief explanation as to why they overrode the DLP solution’s alert. Decision Points But what happens if, after seeing the pop-up alert, the employee decides to send the email anyway, resulting in data loss? The DLP solution keeps records of all of the user’s actions, of the fact that he or she was alerted, as well as the justifications they provided, giving an audit trail for subsequent analysis and review. This establishes a clear chain of events when reviewing the data-loss incident, which will come in very handy for internal review and external compliance purposes. The system aims to increase the users’ responsibility, to encourage them to review what they plan to send, and help them correct any digressions from the company’s security policy before a data loss incident occurs. Preventing Loss, Gaining Benefits To summarize, the benefits of this DLP system fall into two main areas: First, and most importantly, companies can significantly reduce the number of data loss incidents upon deployment. As employees experience the DLP solution in action, they will learn more about data loss, how it typically occurs and how to avoid it. This encourages adherence to company security policies. Over time, pop-up alerts to users will most likely decrease as users become more conscious and increasingly aware of the types of activity that triggers an alert. Second, engaging the users in the data-loss prevention process will directly benefit the organization, by reducing the burden of day-to-day security management from IT staff. The majority of decisions about whether content can be sent or not, is taken by users directly - a sharp contrast to previous-generation DLP solutions that require IT staff to check every email flagged as a potential risk. Eventually, empowering the user enables IT teams to concentrate on more strategic tasks, instead of getting bogged down in email approvals. When it comes to preventing data loss in the corporate environment, technology alone is not the answer, but it can be used as a safety net. Technology, when combined with educating users to become more aware of the impact of their actions, is the best method for minimizing the overall security risks. After all, the old adage had it right: Prevention truly is better than a cure.