Data loss is nothing new and it shows no sign of stopping, with new legislation, new ways of working and new threats piling on top of existing challenges. Anyone with any responsibility for managing data needs to understand the changing risks.
The first step in solving any problem is understanding it. Your data can fall into the wrong hands in many different ways.
The most obvious is deliberate theft. A cyber-hacker or a rogue employee steals sensitive information for their own gain. Or an honest employee is tricked into sending this information, or downloading malware which does it automatically.
Not all data loss is deliberate. A mistaken email from finance to the wrong person could reveal everyone’s salaries and cause internal rifts within the company. In fact, it is this inadvertent data loss which is responsible for 75%+ of all data breaches. The outcome is the same: information falls into the wrong hands and that’s not good for anyone.
New information-bourn threats are also becoming rife, such as the risk posed by hidden meta-data or embedded active content malware. Few employees realise that documents including MS Word and PDFs contain embedded information about revision history, names of reviewers and even information about infrastructure which can be a rich source for phishing or other data leaks, with stories in the media reflecting this on an all too regular basis.
If all this wasn’t enough, dealing with information is getting much harder. The world is changing fast, requiring more open and complex IT and information models. The unstoppable rise of mobile and BYOD, and collaboration and communication tools such as Twitter, Skype or Dropbox, mean data is now routinely shared beyond the firewall as part of everyday working practice.
New legislation: a wakeup call?
More stringent EU rules around the control of personal information will be introduced in 2017. These will come with fines of up to 2% of global turnover or €100,000,000 for those who don't comply. Every EU organisation, as well as any that handles EU citizen data, must be compliant before the new regulations are introduced.
The financial threat is having an effect. A recent Clearswift survey of senior decision makers, responsible for data loss prevention (DLP) within their organisation, highlighted 78% agreed that this new regulation is driving them to look at DLP solutions in order to meet the requirements; and almost all of those that don’t already have a solution are looking to deploy one this year.
You’re not alone, the industry is struggling
If this all sounds new to you, you may find some consolation in the fact you are not alone. Clearswift research highlighted one third of organisations are not fully able to state what critical information their organisation holds and almost half (46%) are not able to state how it is being communicated.
Over half of businesses do not have a comprehensive DLP solution in place, although 52% of businesses do use email filters as a way to protect data. Unfortunately this outdated technology frequently blocks emails that it shouldn’t and misses critical information hidden in document properties or revision history.
Out with the old
The old approach to IT security was about securing the organisational perimeter, but this is insufficient in a collaborative world. Similarly traditional DLP solutions which ‘stop and block’ communication are no longer sufficient as it hinders rather than helps business.
New adaptive information security technologies exist which can remove just the critical information which breaks policy from email or documents – while leaving the rest to continue unhindered.
Advances in Deep Content Inspection means that new information-bourn threats can be removed before they can become a problem. Active content can be removed from incoming documents, while document properties and revision history can be automatically and consistently removed from those leaving.
Where to begin
While it may sound daft, organisations need to understand what their critical information is, where it is being stored, how it is communicated, and between whom (for both good and bad.) Appropriate cost effective solutions can then be deployed to stop critical information from leaking out without stopping the flow of all the other information – which in turn hinders business.
Significant legislation is on the horizon and attacks are becoming more sophisticated. If there is no appropriate solution in place, or strategy to deploy one then you need to begin today. Even if you do have a solution, look at some of the new threats to determine if your solution is adequate.
New solutions can be infrastructure neutral, augmenting existing IT to protect critical information while maintaining a culture of collaboration.
Sourced from Dr Guy Bunker, SVP Products, Clearswift