All data is important to a business, but some data is clearly more important — and more valuable. For organizations that handle and need to protect financial data, personally identifiable information such as Social Security numbers, medical information, intellectual property and business secrets, the stakes involved in safeguarding their information assets can be extremely high.
When data somehow seeps out and falls into the wrong hands, businesses don’t just suffer inconvenience, embarrassment and angry customer complaints. Many businesses are now mandated to secure certain types of financial and personal data, and failure to do so can result in major monetary penalties. But even businesses that don’t have to worry about compliance will take a financial hit if data loss occurs.
Fortunately, businesses can help stem the flow of data leaks by incorporating data loss prevention tools into an overall security strategy. These tools rely on identification, monitoring and response technologies to locate and block confidential data from exiting the enterprise — whether done by accident or design.
According to a 2010 annual study by Symantec and the Ponemon Institute, the average organizational cost of a data breach is now $7.2 million, and the average cost per compromised record is $214. Those costs involve regulatory fines, a requirement to pay for ongoing credit monitoring for data loss victims, lost customers and diminished reputation.
Unfortunately, businesses lose data frequently, and most of this loss is self-inflicted. In fact, according to Symantec, about 75 percent of all data loss occurs because well-intentioned insiders don’t understand how to handle confidential data and inadvertently expose sensitive data through careless use of day-to-day tools, such as e-mail, the web and USB drives.
It’s easy to see how the risk of a data breach is now greater than ever. Unlimited access to the Internet coupled with unprecedented mobility and more access to networks have changed the security landscape. Today business faces a wide-open world, in which information can be easily shared and accessed anytime and anywhere by employees, partners, consultants, outsourcers, and others.
What is the No. 1 priority of chief information security officers today? Data security, says Andrew Jaquith, an analyst for Forrester Research. And that’s a major reason why data loss prevention is one of the few budget line items to show steady growth in the largely flat security market.
In a 2010 Forrester survey of 1,031 IT decision-makers in the private sector, 15 percent of respondents said they had already deployed a DLP solution, 12 percent had plans to implement DLP and another 36 percent were interested in doing so.
“Data security trumped disaster recovery, identity and access management and regulatory compliance,” Jaquith wrote of the survey results. “Unlike tangible assets, such as bricks, mortar and wheelbarrows, digital information is fungible, duplicates itself with zero marginal cost and can move in the blink of an eye.”
Over the past decade, enterprises, to their benefit, have increasingly leveraged IT tools, networking and remote-access technologies to significantly improve communications, productivity and mobility. But that has proved a proverbial double-edged sword, as businesses have also inadvertently increased the risks of data loss.
A DLP solution is not a panacea for security challenges, but used in conjunction with other security and risk-management tools and policies, it provides a critical layer of protection. Unlike most tools, which are designed to look at how information is flowing, DLP offers “content-aware” visibility.
“It’s like having someone read every outbound e-mail or document to make sure that nothing inappropriate is being done with a company’s most important data,” says Robert Hamilton, senior product marketing manager at Symantec. “Of course, you’d need an army of people to do that. And so that’s why DLP was invented.
This capability allows the enterprise to tie the tool directly to their internal security policies. If company policy dictates that Social Security numbers or data related to a specific business initiative needs to be safeguarded, for example, a DLP solution can be programmed to analyze the content for keywords, text patterns, regular expressions, partial document matching and fingerprinting that indicate that type of data.
The number of DLP solutions on the market has been rising steadily over the past few years, and there is plenty of variation. However, DLP generally comprises three broad categories:
John Yun, a senior product marketing manager for Websense, one of the leading DLP manufacturers, says that businesses can buy “a little DLP,” meaning they can opt for a specific-channel solution that focuses on, say, e-mail or the web (sometimes referred to as DLP lite) or a full-blown comprehensive solution that covers all broad categories.
Deciding which solution is right for a business depends on these factors:
Depending on the coverage required and the number of employees involved, a DLP solution can represent a hefty investment, Yun notes. However, he adds, smaller businesses or those concerned about the cost can wade into the market slowly by starting with a channel-specific solution.
However, he says, companies should make sure they invest in a solution that is extendible; one that allows, if necessary, the addition of channel-specific modules or a move to a full-blown enterprise solution.
Conversely, choosing a full-strength DLP solution has its advantages. An organizationwide view of all data enables continuity of policy enforcement across the entire DLP effort, for example.
And because these types of solutions can integrate content discovery on the network (such as identifying organization-controlled credit card numbers or files containing sensitive data stored in the wrong location) with scanning of outbound traffic (typically combined with outbound web proxy), it’s a lot less likely that any data will seep out undetected.