Risk Of Data Loss More Than A Security Problem; It’s A Business Problem

When on-boarding employees, organizations often request personnel to sign a non-disclosure form that states the employee will maintain the confidentiality of sensitive information. That’s probably the last time the subject is discussed, even when the parties separate their employment agreement. How does the organization enforce those agreements and know when data theft or loss is occurring?

This is where data loss prevention (DLP) comes in. Initially, consider DLP as a strategy and answer a few simple questions:

• What do we define as sensitive information?
• How do we track data access, movement and usage?
• In what ways do we restrict access to data?

The traditional security perimeter where business occurs within a facility, using on-premises servers and computing interfaces has been eclipsed by mobile device deployments, cloud computing and a remote workforce. These changes must be considered in the data loss prevention strategy.

When stakeholders can document what the desired outcome is for data loss, such as compliance with data privacy regulations, identifying potential legal issues or formulating intellectual property opportunities, the strategy can evolve to a policy and look into tools that help with tracking data access and usage.

See Related: Healthcare CISO Explores A Recent Outbreak Of Breaches

Industry analyst and advisory firm Gartner tracked the DLP tool and solutions market for many years. It annually produced the Magic Quadrant matrix to identify leaders and challengers within the vendor/supplier ecosystem. In 2017, Gartner produced its last Magic Quadrant for DLP. Simply put, analysts found that market maturity had peaked. Competitive solutions were difficult to distinguish from one another and innovation in functionality had stalled.

Gartner also observed that enterprises remain confused about the solutions. The primary reason for confusion appeared to be the internal organization misunderstanding that purchasing and deploying a DLP solution reduced the need for security personnel. The catch-22 is that DLP rules (such as the classification of different data types deemed sensitive) are established and maintained by humans that are responding to changing business requirements and new data loss threats.

As innovation within DLP tools slowed, developers integrated DLP with other security, risk, and auditing components. Breathing fresh air into DLP, Gartner stated, “By 2021, 90% of organizations will implement at least one form of integrated DLP, an increase from 50%" in 2017.

Organizations should not look to DLP as a “magic bullet” for protecting sensitive information. Workers are changing jobs at a more rapid pace. The types of data classified as sensitive needs to be revisited frequently. The risk of data loss from departing employees is more than security problem; it’s fundamentally a business problem.

Cyber Security Hub will continue the Preventing Enterprise Data Theft From Departing Employees discussion by hosting a webinar on the topic of real-time approaches for detecting and protecting sensitive information. Register for the event to hear real-world perspective from security leaders facing data leakage and strategies for protecting all data.