Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

COLUMN: Define, Educate, Prevent

Sadik Al-Abdulla | May 19, 2011
Avoiding data loss is easier than you may think.

FRAMINGHAM, MA, USA, MAY 18, 2011—Most organisations believe they aren't in danger of losing data, but as recent news demonstrates, the threat is real and no organisation is immune.

In a recent CDW report on threat prevention, data loss emerged as the No. 1 cybersecurity challenge faced by medium and large businesses. Fully 37 percent of IT security decision makers surveyed for the report cited data loss as "the next big security threat" their organisations face, naming it a bigger threat than viruses, worms, malicious attacks and botnets.

Just envisioning the potential consequences of data loss is enough to keep executives up at night. Data loss of any kind can damage an organisation in countless ways. From a simple hard-cost standpoint (forensics, notification, credit protection, etc.), data loss is expensive, costing an estimated average of US$200 per record breached, or an average of US$6.8 million per total breach, according to a recent Ponemon Institute survey.

The true cost, however, is much harder to measure when considering factors such as lost competitive advantage, loss of revenue, litigation and company reputation.

The first step to prevent data loss is to accept that data loss is a real problem. Truly solving the problem can be boiled down to three simple concepts: define/baseline, educate and enforce.

Define Data and Create a Baseline
This is not the typical, monstrously large (and perpetually doomed-to-failure) information classification project that so many IT organisations have undertaken and then abandoned. The key to success is to draw a distinction between confidential information (e.g. Social Security numbers) and confidential documents (such as a file containing Social Security numbers).

In today's IT world, nearly everyone is an information worker. In the course of business, people make copies of files, create reports, post them to SharePoint sites, etc. Trying to categorise information at the document level is typically prohibitively difficult because these documents are rapidly moving targets.

That said, the definition of "confidential" is usually straightforward. The simple data points that allow for fraudulent monetisation of data (first and last name, address, Social Security number, credit card number, driver's licence number, banking information, etc.), as well as data protected by regulation (e.g. HIPAA), are the minimum any organisation should protect.

But every organisation also has business critical data. Examples include the trading algorithm that was almost stolen from a well-known investment banking firm, the next quarter's sales pipeline for a reseller, pre-product-launch research data for a biomed firm or the source-code for a product at a software company.

Your next step should be to define what "business critical confidential" means to your organisation. In the simplest terms, that definition should be measured against three standards:

1) Would the loss of this information materially affect revenue and profitability?

2) Would your organisation's leadership want to be informed of a leak?

3) Would your organisation's leadership take action if informed of a leak?

In some ways, these are three separate questions driving to the same concept, but in a practical sense, applying all three questions enables organisations to cut through noise and churn, to focus on the true heart of "business critical confidential."

Once this definition is established, the second step is to measure the business against that definition, to gain clarity regarding the real risks. The areas of greatest concern do not necessarily overlap the areas of greatest exposure. In many cases, the single greatest exposure existing in an organisation can be easily remedied by altering a single business process. The areas of greater concern are the ones that are harder to control.

Educate Your Organisation and Address Problems
"Information security policy"—have the shivers yet? A tremendous amount of research and effort goes into crafting an organisation's information security policy. There are legal and liability reasons for much of what a typical information security policy covers. Unfortunately, in a practical sense, dozens (or hundreds) of pages covering a large amount of ground do not assist the typical information worker in making daily judgment calls on how to use and store confidential information.

Once the definition of "confidential" is determined and the use of confidential information has been measured, the next step is to use that insight to author a practical and concise policy. Your goal should be to keep the policy under a half-page in length, and to use it to define, in stereotypical "30 second elevator conversation," what data is confidential, and how it should be used.

Following the creation of that policy, three actions should be taken:

1) Resolve process issues that violate the policy and cause ongoing incidents.

2) Educate users on the policy.

3) Provide ongoing, real-time notification to users.

As early adopters in the industry take on data loss prevention projects, there are many indications that clear, concise communication, coupled with education, can reduce data loss incidents by more than 90 percent.

Prevent Data Loss From Occurring
If process change, user education and real-time notification can reduce risk by 90 percent, technological enforcement can narrow the remaining 10 percent. The real key, however, is to make security an ongoing priority. Invest wisely and consistently in security technology that is tailored to manage the specific risks your organisation is likely to face.

One way to do this is to dedicate an internal or external resource to monitor and manage security issues, making sure that this resource reports to the appropriate stakeholders. This strategy allows you to monitor security risks in real time, keeping the organisation informed and involved in the security of your data.

Data loss is a threat that will continue to weigh heavily on the minds of IT executives everywhere, but there are tested and proven ways to safeguard your organisation. By defining your data, educating your staff and taking proactive measures to prevent data loss, you will be able to dramatically mitigate your risk of falling victim to this common security threat.

Sadik Al-Abdulla is Senior Manager of the Security Practice at CDW Corp.


Sign up for Computerworld eNewsletters.