What is Data Loss Prevention?
It sure seems like these “laptop” things aren’t a fad. Put simply, you are keeping immense volumes of data on your organization’s computers. This data includes intellectual property, financial documentation, training material, and sensitive customer information (yes, even if you have a policy that says this can’t happen). If this information were to suddenly disappear, so would your business. Data Loss Prevention is the practice of putting preventive and emergency measures in place to protect your data. You do this by both by preventing data from going missing in the first place and by being able to recover it when it does.
How do I create an effective data loss prevention program?
To begin, you need to identify your most important data and the devices where it’s stored. It’s important to be ruthless when defining priority, including only data and systems that are necessary to operate your business. Including non-essential data can contribute to wasted time and money in an emergency situation as you try to get your business back up and running.
Once you know what data needs to be protected, you will want to define policies to ensure you and others in your organization act consistently to preserve critical data.,Then, you can move on to technical controls to improve the security of your network and devices, and perhaps most crucially, deploy in a solution to back up and recover your data when it is lost.
What types of data and devices do I need to protect?
Intellectual property is anything your business creates and owns. For example, if you are a software developer, your source code is extremely valuable intellectual property. There are many kinds of data that can fall under the classification of intellectual property: pitch decks, training materials, competitor profiles, algorithms/formula, and any other content generated by your business. IP is the most important classification to protect as part of your DLP strategy. It’s all the stuff that your business has invested time and money in creating.
Business data differs from intellectual property in that it is information you collect rather than create. This may include financial information, logistics information, diagnostic reports, and more. This class of data can be devastating to lose, is often important for audits and/or regulatory compliance and it would be difficult (or impossible) to rebuild from scratch. so it’s important to include it in your DLP plan.
Customer data is information that has been placed into systems you control which is owned by your customers. This can include information about your customers which helps you run your business (Eg. contact information, billing/payment card information, or birthdate). Additionally, depending on the product/service your business provides, this data type can also include customer generated information stored within your systems themselves. An example of this second type of data would be photo or video files uploaded by customers of a social media application.
Customer data is among the most sensitive data a business regularly handles because even though you have access to it, you don’t own it and are responsible for its maintenance. There are often different levels of compliance in place to ensure this data, especially personally identifiable information (PII), is handled and protected properly. Equally important to regulatory consideration is the fact that your customers are trusting you to keep their data safe. No DLP strategy can be complete without accounting for the protection of customer data.
Any device where a knowledge worker is actively doing work should be protected. Your team creates intellectual property, and those documents, media files and code that your folks create constitute valuable business assets. At the very least, make sure you have a strong policy in place for executive and leadership endpoints. They often contain the most vital information for the organization and risk tolerances must be significantly lower as a result.
Best Practices for data loss prevention
Identify compliance needs
Work with your security team and/or legal counsel to catalog any regulations to which you are subject. Make sure that your solutions (cloud usage, policies, endpoint protection, and internal infrastructure) are compliant with those regulations. Communicate the requirements to relevant individuals within the organization. For instance, if you have users who must interact with PII on a regular basis ensure that they have an understanding and process for interacting with and securing that data. Regulatory compliance is a good place to begin any DLP program because failure in this avenue comes with concrete consequences for your business, such as legal action and/or fines as well as the less quantifiable fallout from loss of customer trust and reputational damage.
Trust but verify
This one is a little squishier than compliance. One of the ways that data can be lost is by it being made more broadly available than your org would prefer (i.e. it gets made public or sent to an unfriendly party outside the organization). There are tools out there that will block sharing or movement of data (often with classification criteria) to particular locations which fall under the umbrella of a “Data Loss Prevention” solution. Employ solutions such as this with great care. There will inevitably be particular types of data which are easily defined, however after things like social security and credit card numbers, those waters get deep fast. In many cases, these solutions will wind up blocking legitimate businesses.
As with anything which presents human beings with a barrier, a particularly restrictive solution will lead to non-compliance. Humans need to get their jobs done. They will find ways to do so through supported or unsupported means. When you are designing your DLP solution, keep this in mind. Build your program with technologies and communication which accommodate human foibles rather than expecting your users to behave perfectly in every situation. An example of this would be to employ a solution to proactively and regularly collect users’ data from the endpoint rather than requiring people to move data to a file share or cloud sync location.
This leads us to our next suggestion.
Follow a 3-2-1 backup strategy
The other way that data can be lost is through destruction. This happens through a variety of means that we have discussed before (natural disaster, human error, hardware failure etc.). To protect your data from loss, invest in a solution to back up copies of your data, use a mixture of media types and have at least one copy offsite. Having a robust backup strategy that includes backing up regularly to multiple locations allows you to recover from any data loss. Make sure your backup solution includes the important types of data identified by your DLP plan across any location where they may be stored.
Implement access controls
A great way to prevent people from accidentally breaking or sharing things is to make sure they don’t have access to things that they shouldn’t be able to break or share. This is one of those things that’s easy in concept but difficult in implementation, however that is the core purpose of access controls. Access controls specify which members of your business and staff are able to access certain types of files, apps, and data. Follow the principle of least privilege with any valuable data that you store – each employee should have access only to the data necessary to do their job. Conduct regular permissions audits on users especially following a role change.
Shore up your cyber resilience
No plan survives first contact with the enemy. The best-laid plans… You get the point.
Put simply, you need to approach your DLP program with the understanding that any number of controls will fail and your data still needs to be protected. There is not a single silver bullet. That’s the core job of building resiliency; building a system that can accommodate for failures while still allowing you to bounce back after taking a hit. Every business benefits from a broad cyber resilience strategy. Train team members to use strong and unique passwords. Leverage a team-wide credential management solution and make sure folks know how to identify phishing emails. Purchase and install a solution for your endpoints that can detect threats such as viruses and malware, and provides threat intelligence and response. Use mobile device management (MDM)software to serve your employees with appropriate tools for their job and prevent them from installing software from other sources.
And lastly, employ a solution to recover your important data in the (hopefully perishingly few) situations where those other controls fail. If you want to know more about this last part, we are certainly happy to help.