“DLP, Data Loss Prevention, or Data Leakage Protection, can be quite overwhelming for many businesses. Do we want our latest financial numbers leaked out to the competition? Probably not. What about those confidential salary numbers for bonus calculations? No. What about the customer list that we’ve built up over the years? No again. What about that proposal that contains our competitive advantage? I’m guessing another no.
The DLP discussion usually starts by using FUD factors (Fear Uncertainty and Doubt) to court organizations into listening to a “pitch” on all the ways to secure the intentional or accidental leakage of information. However, my approach to DLP is to take the same approach a homeowner would, to evaluate protection strategies for their house. If you live in a modest 2 story home, in a nice suburb, perhaps retinal scanners, bars on the windows and triple pad locks for the doors wouldn’t necessarily be required. Sure they would reduce the risk, but as you increase the investment you start to see diminishing returns. If you spent $10 000 to secure your house vs. $100 how much “extra” security are you really buying?
DLP requirements and technology deployment should be approached with a similar pragmatic cost vs risk evaluation. Where are the majority of data leakages happening? In most business environments today, “leaks” most likely occur through email and instant messaging from a communications protocol standpoint, and through USB keys and laptops from a hardware perspective. Sure any savvy person within your environment could tunnel through SSH or scream past your content filters using SSL but let’s deal with the highest risk items first and then work backwards with a final goal in mind.
The first, and often most difficult, step is to evaluate and classify your data. What data is actually confidential? Even some of the world’s largest organizations only use 3 basic categories to classify their information. For example the US Government uses Confidential, Secret, and Top Secret. O.K., your collection of Dilbert cartoons most likely won’t fall into any of those 3 categories, but what about Confidential, Restricted, General? Once you’ve simplified your classification scheme and defined who / what should have access to those categories, you can focus on locking down the most susceptible mediums � email, thumb drives and laptops. With the right technology, policies, and end user training you can take a significant and cost effective step towards reducing data leakage risk and in establishing a successful DLP implementation.”
To learn more about IT Security, DLP, PCI and Privacy Compliance strategies as well as technology options, come and listen to Eugene Ng (VP of Technical Services for NCI) and several other IT Security and Privacy experts at one of our upcoming events (Please note, pre-registration is required as seating is limited):
PCI and Privacy Compliance: through the Data Lens
Strategies for DLP, securing virtualized environments, and data analysis. Living Arts Centre, Mississauga, Wednesday, April 14, 9 a.m. to 2:30 p.m.
SWO IT Security Summit: Surveying the IT Security Landscape.
Museum London in London Ontario, Wednesday, April 21, 9:30 a.m to 2:30 p.m.
For more information and to register on-line please visit www.nci.ca.
About Eugene Ng
Eugene Ng, VP of Technical Services at NCI, is a senior IT professional with extensive experience, who has successfully completed major security, education and network consulting assignments for the provincial government, federal government, municipal governments, large utilities and health care organizations. He is a hands-on Security Specialist with in-depth technology training and a broad range of certifications.
NCI is Canada’s Premier provider of IT Security consulting, products and solutions with offices in Mississauga, London, and Montr�al. Our specialty is security. Our focus is service. For more information, visit www.nci.ca.