Data Loss Prevention – What is it? DLP stands for Data Loss Prevention, which is a bit of a misleading moniker as most people quickly conjure up thoughts of data being deleted, and whilst this is critical a term that would better capture the gravity of DLP is Data Leak Prevention.
In today’s economy, data is the most important asset that a company has. Whether it’s intellectual properties, business strategy documents, specific market insights it’s one of the most prized assets of an organization. It’s a little interesting, however, that we don’t treat data the same way we treat money, one of the more visible assets that a company has – though it has the same if not more importance. Two examples – Google vs Uber on trade secrets that Google thought were stolen by the former Google executives. The other example being the NSA and Edward Snowden. Regardless of which side of the argument you sit (regarding mass surveillance), what can be agreed on is that it was not in the NSA’s interests for this information to leak, regardless of the ethics of the decision to leak the information.
Most companies have strict controls on who can approve purchases, recruitment, move money around etc because these decisions have a direct bearing on the bottom line of the company. We don’t have the same type of controls when it comes to internal company data. There’s very little in the way of restricting who accesses data, who can copy data, who can send the data externally, even though this sort of information tends to have longer term bearing on the profitability of a company. The ability to keep company secrets internal and to prevent the market (read; your competition) getting a good idea what you want to do in the longer run constitutes a competitive edge.
Too many times we have cases of employees who leave organizations and take trade secrets with them, customer lists, information on the companies intellectual property, or for software development companies, entire products. For this reason, data needs to be treated the same way financial assets are treated. With controlled access on who can do what with your data.
One caveat is that you can never really fully prevent loss of data, all you can do is make it remarkably difficult for the casual user to distribute it. A huge element of DLP is simply hiring people who you can trust and putting up adequate contractual deterrents for leaks. For instance, Google took their former engineer to court, Edward Snowden had to flee the country. These costs would deter most save for the most determined – the same applies to finances. Companies will lose money, but oft to the more determined individuals.
Worker mobility has created tremendous productivity benefits for companies, but at the same time has created inherent risks when it comes to preventing data loss. For instance – if a team member is using their phone to access company email, they have a copy of company data on that device. They also have a copy of this data on their laptop and this information can be:
- Physically shown to a competitor
- Forwarded to a personal email account etc
- Copied off on a flash drive
What options do companies have?
Virtual Desktop Infrastructure
One technology that manages both requirements for mobility but control is virtual desktop infrastructure. It allows for companies to give their staff members the flexibility needed to work remotely, but at the same time securing multiple endpoints. For instance – you can disable USB sticks and screenshots from this, whilst at the same time ensuring that the worker has access to all the company data they need to be productive in an environment that’s centrally controlled and managed. Should an employee leave, access to the virtual machine will be remotely terminated and the employee will no longer have access to corporate data.
One of the bigger ways that data can leak from companies is email. Many companies don’t bother securing their email platform, as it many times comes off as a headache, but there are multiple tools you can use to secure your email. The primary one being rule based filters. For instance, if ACME corporation competes with XYZ corporation, there probably won’t be too much in the way of communication between the two companies, therefore, only pre-approved people in a certain level of management can send email to those companies. Anyone working in certain departments can be prevented from sending emails to public domains (@gmail.com, @yahoo.com etc), this way you can’t send yourself the email. It’s possible that you could collaborate with someone in another department whose rules allow them to send out the email, but this normally requires vocalizing intent, and leaves an audit trail should anything come up. This is a behavioral disincentive.
Intrusion Prevention Systems
These are devices that are within the corporate network of organizations to prevent unauthorized third parties from accessing internal corporate data (for instance, Target). These can be physical or virtual devices and typically look for loopholes in a company’s IT infrastructure (this is regardless of whether it’s hosted internally or externally, data security is a necessary part of your ICT Policy. Most major IT security vendors have tools that you can use.
So what next? How do you secure your data? You can talk to us, at Node Africa, as we have deployed many of these tools, from our secure email platform to our VDI platform – we can help you ensure that you keep your data away from prying competitors.