The Issues in Data Loss Prevention
The main objective of data loss prevention or data leak prevention is to ensure that users don’t send sensitive or critical information to persons who are outside the specific network. This term is also commonly used to refer to administrative control software products [DLP] which help in keeping tabs on what users can send. Insider threats and rigorous state privacy laws are the usual driving forces which make the implementation of data leak prevention systems unavoidable for business entities in particular. The software uses business rules to decide what information being transmitted to outsiders is confidential. It tags confidential and critical information. The tools also help to protect the ‘data at rest’.
Issues Relating to Data Loss Prevention
Despite reliable data loss prevention [ DLP] software being implemented and being used religiously, there are many instances of data loss, the sheer magnitude of these leaks can be mind boggling. Many of these losses to an enterprise don’t get reported or highlighted. The following issues need to be dealt with for a DLP implementation to have significant success.
- The Risk Management or Financial departments or divisions of a corporate entity trigger the implementation of the DLP with approval of the top management. The Information Technology [IT] department or division drives the technology rollout. Mostly senior personnel believe that it is just a matter of plugging in the software and the problems go away. That is not so, since DLP is not about managing data but about managing compliance. The issue is how much involvement is there in the initiative, by personnel from Human Resources, Marketing and other divisions and departments. These departments or divisions must actually be the ones laying down the business rules since it is their data which is being protected. Low level of involvement will lead to poor quality of implementation.
- More DLP may be getting bought than what is required in the real world scenario. Many of the components don’t get deployed even within a two or three year time frame. All the big investments become wasted resources once there is a data leak or loss. It has also been noticed that DLP is more often than not, used just to monitor the mistakes committed by employees or their misbehavior and not blocking leakages. This may be occurring since the cost of supporting blocking can be too much or the traffic in the network is too high.
- It is really difficult for a DLP to filter for content when it's encrypted in a way the DLP system doesn't know how to de-crypt, and it can't make sense of content sent as CAD diagrams, graphics, pictures or non-text-based media. There's not a lot of multi-lingual support. Moreover, it is very difficult to formulate business rules for certain sensitive data like intellectual property, which is really a management issue.
- Merely investing significant money for data loss prevention is not sufficient. The management of organizations must also be more aware of the need to act before the data is lost or stolen and an intense effort must be made to understand the true implications in detail. Preventive action can start off with taking steps like encrypting data or controlling mobile plug and play devices.
- The real cost is the risk of reputational damage, following a data loss. The media visibility and the accompanying hype of such loss or leakage incidents cannot be controlled. Organizations can suffer damage even where they prove the data breach was not caused by a fault of their own, but a result of malicious activity. Hacking and website attacks remain a greater source of data breaches than either accidental loss or 'insider' breaches. However, the public and stakeholders, especially investors, are unlikely to offer much sympathy in either case.
In all probability as long as companies and government believe it is cheaper to collect information than it is to not collect it, they will keep collecting it. As long as data is collected, there will be people who will lose it, or be willing to break the law to obtain it. Hence, the places where that information is collected will continue to be a target for attackers.