Data Leak Prevention (DLP) is something that all organisations should be taking seriously. It covers the prevention of data leaving your company by means of various methods. It is, however, an imperfect and difficult approach to take, given the number of ways that data can leave the company – on both a digital and physical level. This article is going to deal with the digital side of things, talking about email, hosted file services, and flash disks.
What are you protecting?
Key to knowing just how secure you’re going to be is looking into what it is exactly that you are protecting. Taking a risk based approach (looking at the impact, likelihood and sensitivity) of the data you are processing will give you an indication of just how much risk appetite you have. If the information you are looking after is of a lesser value and not much can be done with it, you can have a much more open and lenient strategy. If, however, you are processing sensitive information such as medical records, religious beliefs, sexuality, or other such deeply personal information, you need to have a much stricter approach.
What to block?
There are many, many ways for information to leave the organisation, and I can guarantee that you (and I) have not thought of all of them. Online services and ways to transfer information keeps growing and growing, so an ongoing approach and regular reviews of your prevention methodologies is very important.
The most common means, in my opinion, of information leaving an organisation has to be email. It is incredibly easy to attach a document to a mail and send it out. The sheer volume of email transactions in a company means that it is highly likely that a reactive stance is being taken to leak prevention. An easy way to correct this is to implement a service such as Mimecast, which actively scans all mails in and out of your company, using some excellent methods of detection – such as image recognition to see when a credit card has been photographed or scanned as an attachment.
The above is great for corporate email, but to bypass a service that is linked to your corporate mail simply requires one to open a personal email service such as GMail or Outlook.com. These work out of a browser, and are not subject to the company’s monitoring or control. This is where, as a company, you need to decide what your risk factor is. If it is high, you may consider blocking access to these external services one by one, however this would likely have an impact on staff morale – particularly if you haven’t been strict on it before.
Another way that data is leaked from companies is by means of online file services, such as Dropbox, OneDrive, and Google Drive. Given that many companies use different services, it becomes incredibly difficult to block these. I am very much in favour of Microsoft’s offering in this space, OneDrive, as you as a company are able to use ‘OneDrive for Business’. This effectively offers the same functionality while avoiding staff using personal storage. The data, in this case, stays inside your company and under your control. Having data in staff’s personal storage is something that should keep you up at night, and you should actively look to avoid this happening, both in process and in policy.
Other file services such as WeTransfer can also be used as a temporary point-to-point transfer. These can be fairly easily blocked on the router level, either by blocking uploads of a certain size and protocol, or by blocking the sites individually. Both methods have their pros and cons but can be highly effective.
Flash Disks and USB Devices
Another culprit that is incredibly high risk is flash disks and USB devices. If it is imperative that your company uses these, at the very least have them encrypted as a rule. If there is company data on a flashdisk and it goes ‘missing’, you’ve effectively had a data breach. And let’s face it, losing a flash disk is a very easy thing to do!
If you don’t absolutely need flash disks, rather take a leaf out of ISO27001 and disable USB access for all staff except those that absolutely need it. This blocks people from using flash disks entirely, and removes the risk of data being exfiltrated (a security geek way of saying ‘leaked’) by means of USB storage. Strangely enough, on paper people often object to this method, however in practice it is often quite easily received. Generally the only folks that complain about this in a company, are those that are using USB storage for things they shouldn’t be using it for (such as transferring music, movies and games).
How far do you go?
This is really up to you as a company and your risk appetite. For any data protection compliance you need to document your decisions and stick with them – along with justification. If you have incredibly sensitive data, you may want to lock down your network. This does come at a cost though, as certain activities take longer and have more red tape to complete. You have to see whether the juice is worth the squeeze on this. The more restrictive you get, the more difficult it becomes to complete day-to-day tasks.
The other side of the coin on this one is staff morale. People enjoy autonomy and being trusted, when you take those away (or are even perceived to no longer be trusting your staff), you are likely to be dealing with a morale issue. Draconian policies breed discontent, which can have its own set of very real issues. Disgruntled employees are unlikely to take your policies seriously or to back them up in times of need.
Because of the above, it is vitally important to take a considered and measured approach coupled with carefully communicated reasons as to why you are doing things. Knee-jerk reactions to data protection can often cause more problems. As we say in Systems Thinking, “faster is often slower”. Should you need a second pair of eyes for your strategy, or advisory on how to implement these policies and restrictions, reach out for a coffee and a meeting. I’d be happy to assist in your compliance and DLP efforts, my network and I bring a wealth of implementation knowledge from numerous clients and industries.