Data leakage trends in enterprises and the technologies to detect and prevent it

A leading mobile cellular provider in Israel, with over 3 million subscribers and 6,000 employees, the company operates 360 retail outlets and 30 customer service centers across Israel, and is a public company with shares traded both on two Stock Exchanges.

Naturally, this organization has large amounts of sensitive and company proprietary information held on their corporate network. They realized the importance of protecting this data when a leak resulted in sensitive documents being given to the media. Although the company was not affected financially, their reputation was damaged. Any further incidents of this kind could have resulted in both financial and business losses.

Although Web and email threats continue to present security challenges to businesses, many are also increasingly aware of the damage that malicious and accidental data leaks cause. From customer records to intellectual property, the safeguarding of confidential data is firmly at the top of the boardroom agenda.
The broad-reaching impact that a data leak can have makes this an issue not only for the IT department but also for those who manage strategic risk, whether that’s a small department or an organization for tens of thousands of employees. One of the issues for managers is to understand and promote the fact that data leaks are not fundamentally an IT problem but a human one.

With a marked increase in the volume of data stored electronically and likewise the number of communication channels by which data can be sent, this is not a straightforward matter to solve. It is important for businesses to have insight and protection into where potential leaks are coming from in the light of the far-reaching impact they can have.

What is at Risk?

Businesses are well aware that information is their most valuable asset, and its loss can have major consequences. When news of a data leak spreads it can result in damage to stakeholder confidence, reputation loss and significant financial impact.

In India, legislation also recognizes the seriousness of data leakage as an issue and a 2008 amendment to the IT Act 2002, Section 43 A has led to senior management becoming liable if they are not securing confidential information.

The stakes are very high, yet the true costs of data breaches are often immeasurable and may extend well beyond the obvious short term costs. Whether a breach is accidental or deliberate what matters is that the organization is seen to have failed in its responsibility to care for confidential information—this is making it a matter of strategic concern for senior management or business owners.

Mitigating the risk involves putting a control system in place that incorporates a number of factors—processes, education and technology. While most organizations have Web and email security of some level in place, few acknowledge or plan for an internal leak.

How Can Data Loss Happen?

Company employees have the widest access to the organizations networks and data storage and so, quite naturally, their potential for damage is high if not higher than for in the case of external threats.
Although many businesses are well aware of the external threats to their data and protecting against these, organizations are increasingly becoming victims of high-profile leaks that can start with a simple click of the ‘print button’, a seemingly innocuous email or the loss of a USB key.

Mostly unknowingly caused or perpetrated, internal data leaks primarily happen simply due to human error or a lack of awareness to policies. Today’s fast-paced business world has created a need to have quick access to information, collaboration platforms and ease of decision making leading to organizations providing employees with many different means of accessing communication channels and the Internet. Employees can send data via email, or perhaps use instant messaging and information sharing Web sites. They also use these different methods to access enterprise networks and information systems. Employees may not have mala-fide intentions, but if businesses don’t take the necessary security precautions in hand then each point at which they access or transfer information can present an opportunity for data to be obtained and maliciously used by others.

In this scenario, it becomes more important than ever before to educate employees about the security of data and also to put the necessary solutions in place to prevent possible leakages.
Employees unwittingly follow many habits and practices that are putting their organizations at risk and the IT departments are often completely unaware of this risky behaviour due to a lack of insight into data movement both in and out of the business.

What Businesses Need to Do

With a combination of the right security policies and sophisticated technology tools – called data leak prevention (DLP) - in place alongside the education of employees, companies can safeguard their most valuable assets.

DLP enables any organization to understand where confidential data is stored, has the ability to control how sensitive data can leave an organisation and under what circumstances. Though encryption alone does not address policy or business process to define where sensitive data is stored, organizations should employ a multi-level approach to their data security using DLP to mitigate risk and then encrypting data that is allowed to be sent out to remote devices.

Any business can take a proactive approach to intelligently identify, manage, monitor and secure data by implementing this technology. Unlike threat-based blocking such as traditional firewalls, data loss prevention solutions are designed to examine the content of the material being sent to determine if it is in violation of a policy or a danger to corporate security - or in some cases, regulatory compliance. For example, if an employee working for a bank were to copy and paste details of a customer into Webmail, the DLP solution could block the action and instantly alert a manager or the IT team, effectively preventing the data from leaking out. Similarly, if an employee tried to load a database of confidential customer records on to a laptop, DLP technology is intelligent enough to know whether this is permissible or not. If not, the technology would prevent the data from being uploaded to a remote device. DLP technology can also accurately manage not just access to sensitive data, but how and where the employee can transmit information. In essence, the technology protects data at rest, in use and in motion.

These measures not only help mitigate data loss, but if a breach were to occur, it can be forensically investigated. DLP technology provides a heightened level of visibility over information flow in an organisation which enables both the auditing process, as well as compliance with corporate governance, regulatory bodies and government legislation.

Now, with the potential damage to reputation increasingly front of mind at Board level, the importance of assessing the impact of data loss across a business and coordinating investment to tackle it is bigger than ever.

—By:Surendra Singh, Regional Director — SAARC, Websense.