If you would like to read the other parts in this article series please go to:
- Developing and Assessing your DLP Strategy (Part 1)
- Developing and Assessing your DLP Strategy (Part 2)
- Developing and Assessing your DLP Strategy (Part 3)
Introduction
For the past several weeks, we’ve been tackling the subject of developing a data loss and data leakage prevention strategy to protect your data that is sensitive, confidential or falls under regulatory privacy protection mandates. In Part 1 of this multi-article series, we provided a high level overview of what DLP is, some of the possible consequences of data loss or leakage, and the essential elements of an effective DLP strategy. In Part 2, we started to delve more deeply into the intricacies of DLP, characteristics of good DLP software solutions, discussing two of four important elements: policies and programs. In Part 3, we moved on to address DLP best practices.
People: the human factor
The success or failure of any security measure is dependent in large part on people. Of course the technological controls matter, but ultimately they cannot be effective without the support of human beings. Data loss and leakage prevention goes beyond the network administrators or security team members or compliance personnel. It requires the buy-in of many outside of the IT department, from the highest levels of management to the lowest levels of clerical personnel – anyone and everyone who creates, accesses, manipulates or otherwise comes into contact with the sensitive data.
That means reaching beyond IT in the very earliest stages of developing your DLP strategy. You’ll want to get representatives from departments such as legal and human resources involved in the planning process, especially when there are compliance issues to deal with. During the initial classification of data phase (and on an on-going basis), you’ll need input from those in each affected department or division who actually work with the data because they are the ones who know best the true sensitivity levels of the various files with which they work.
Responsibility for data loss and leakage
According to a study from the Ponemon Institute called The Human Factor in Data Protection, people are behind some of the top causes of data breaches. The number one cause reported by respondents to their survey was loss of laptops or other mobile devices. Mishandling of data at rest and mishandling of data in motion were also in the top five.
Data leakage frequently occurs not because of malicious insiders (although that does happen) but because of inadvertent mistakes made by those who have legitimate access to the data. The problem is compounded by the fact that employees who expose sensitive data may either not even be aware that they’ve done so, or if they do realize it, many of them will be reluctant to self-report for fear of repercussions. This makes it more difficult for IT to respond promptly and ameliorate the damage.
Establishing clear channels of accountability for data loss and leakage prevention/data governance, awareness training for employees at all levels, and appointment of strong leaders to take charge of the human side of the DLP initiative will go a long way toward reducing the incidence of loss/leakage due to employee negligence or error.
Formal and informal roles
If you’re familiar with the basic concepts surrounding data governance, you probably know that there are formal roles assigned to some of the people who are most directly involved in classifying and overseeing sensitive data. These include data owners, data stewards and the data custodian or manager (who may also have assistants in large organizations).
Data owner is a term that is used differently in different organizations. Some use it to mean any person who creates and/or controls the permissions that are set on a file. This no doubt hearkens back to the days when each computer user created files and stored them on his/her own computer and was solely responsible for granting or blocking access to those files by others. In today’s enterprise environment, many organizations adopt the philosophy that data is not “owned” by individual workers but belongs to the enterprise itself. In this case, the data owner is an assigned role with clearly defined responsibilities for granting accession to a data file, application, database, web site, etc.
Data stewards are generally assigned the responsibility not for individual files, sets of files, applications, etc. but for all of the data within a particular group or department, such as marketing or human resources or accounting. If the organization is large, each department might have a chief data steward with subordinate stewards who oversee the data for smaller groups, such as payroll, receivables, payables, etc. within an accounting department. Data stewards may be responsible for developing and implementing DLP policies or they may give input to the data custodian(s) who have the final authority to create the policies. Data stewards may also be responsible for the classification of the data within their purview.
The data custodian or data manager is the person with the final authority over matters pertaining to governance of the data belonging to the organization, both within the on-premises network and when it is used by mobile or telecommuting employees outside of the corporate network. The data custodian is responsible for ensuring that the data stays safe throughout its entire lifecycle, from creation to storage to transport to archiving to disposal. Data custodians make decisions regarding the processes that are used in dealing with the data, to make sure that technical processes and controls are in place to protect the data, ensure that data management practices are sound and are carried out and that change control is implemented so that any access and modifications to the data can be tracked and audited.
In addition to these formally assigned roles, there will be many others within the organization who are affected by DLP policies and practices and who are expected to adhere to rules and restrictions that are imposed by them. Proper user education is a key factor in accomplishing your DLP objectives.
User education
There is no way technological controls alone can fully protect your data – unless those controls are set to deny all access, by everyone, and take all sensitive data offline and sequester it in a location that is not connected to the Internet or a local network. That is hardly practical, so we make compromises with technological controls and then depend on users to handle data wisely.
User education should include security basics such as the dangers of connecting computers or devices used for work to non-secure networks such as public wi-fi hotspots, basic security for home networks for those who work from home, the necessity of deleting work data from personally-owned devices when no longer working with it, encrypting all work data on personally-owned and company-owned devices, strong password creation and best password practices, safeguarding against use of USB and other removable media, the possibility of shoulder-surfing, need to lock devices and never leave them unattended and so forth.
Mobile devices should be a particular focus of attention because users tend to treat them more casually than “real” computers, even when they store sensitive data on the devices and/or install apps on them that enable access to the corporate network and resources.
Human controls
We’re all aware that security systems, to be effective, need to be multi-layered. We apply security measures at the physical layer, the application layer, at the network perimeter and on the host and directly to the data, and so forth. One of those layers that is often overlooked is the human layer.
Human controls start before employees are even hired, beginning with proper vetting of candidates including criminal history and background check for anyone who will be entrusted with sensitive data. Then access should be granted based on “need to know” and employee/end-user activities should be monitored closely. As discussed above, all employees should be trained in IT security policies and practices.
The Ponemon study referenced above showed that more than half (56%) of the employees who were surveyed spend no time at all on data protection activities and another 25% spend an insignificant amount of time, while only 9% spend a significant amount of time ensuring that sensitive data is protected. This might be viewed as acceptable if the technological controls put in place by IT could be relied upon to provide 100% protection or if the threat of data exposure were extremely low but we know neither of those is the case.
The inconvenient truth is that even when organizations have strong policies in place, end-users often are not in compliance with those policies, especially those that pertain to passwords (that is, they don’t create complex passwords, don’t change their passwords frequently and reuse the same passwords and user names across different accounts). Many connect their personal, unmanaged devices to the corporate network, often without IT’s knowledge, and copy information to USB thumb drives and other removable media for working at home, without encrypting it. Many don’t shut down their computers properly, don’t protect their mobile computer screens from view by shoulder-surfers, and leave their computers and devices unattended.
This indicates that either organizations are not doing a good job of conveying to end-users the importance of data protection and the how-to of implementing it, or end-users cannot be trusted to carry out data protection measures (or both). That brings us back around to technological controls. The more transparent security is to the user, the better – thus applying more technological controls (without frustrating users by making it difficult or impossible to get their work done) should be a priority. It’s a fine tuned balancing act that IT has to perform to keep an effective DLP program operating at maximum efficiency.
Summary
In this four part series of articles, we’ve examined several aspects of why and how your organization should deploy a DLP strategy that will keep sensitive data safe across the network and outside the network, the many benefits of well-planned DLP and the four elements – policies, programs, practices and people – that go into DLP design and implementation. I hope this has at least started you thinking about DLP.
If you would like to be notified when Deb Shinder release the next part in this article series please sign up to our WindowSecurity.com Real Time Article Update.
If you would like to read the other parts in this article series please go to:
