Define your Data Leakage Prevention (DLP) policies to weigh convenience against caution, and prioritize security when sharing, monitoring and managing information
Data leakage is defined as unintentional or unauthorized transfer of sensitive information to unsanctioned outsiders. In our hyper connected world, it happens all the time and can occur in any organization — sometimes by innocent mistake, sometimes by malicious design. And sometimes, the circumstances surrounding data leakage seem to defy common sense.
For example, in 2017, leading consumer credit reporting agency Equifax experienced a data breach exposing the personal information of 147 million people. A recent class-action lawsuit against the company reveals that Equifax failed spectacularly in regard to basic data leakage protections leading up to the attack.
The company apparently used “admin” for both username and password access to a credit dispute management portal containing swaths of personally identifying information, failed to implement proper patching protocols, and stored sensitive consumer data in plain text. According to U.S. District Court filings, “in addition to keeping sensitive data unencrypted in its own systems, it also failed to encrypt data being transmitted over the internet … and when Equifax did encrypt data, it left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data.”
While this data leakage example is particularly egregious (and expensive, having already cost the company $650 million), it’s by no means the only such case. And that’s why Data Leakage Prevention (DLP) policies for every organization are essential.
Some of the most common causes of data leakage are also the most obvious: weak passwords, misaddressed email, and misconfigured internal systems. The enterprise mobility movement has sparked a surge in cloud utilization, geographically dispersed teams, and Bring-Your-Own-Device (BYOD) operational models. This affords modern businesses a host of efficiency advantages and a great deal of flexibility. But it also means that a lot more potentially sensitive information is being shared and accessed among a growing assortment of personally owned and managed end point devices, which extends and complicates the data leakage threat landscape.
DLP policies provide organizations with a basic framework for managing this landscape and adapting to evolving data security best practices, while still capturing the benefits of enterprise mobility. Here are five DLP policy principles upon which to build a solid security strategy:
To prevent data leakage, organizations have to decide how they’re going to go about sharing data, and then monitor and manage that exchange. They have to weigh convenience against caution and prioritize data security, determine who is authorized to send and receive sensitive data, and what can or should be sent or copied.
Much of this information can then form the basis of a technical DLP configuration schema for deploying any number of enterprise tools that automatically implement rules for monitoring and protecting sensitive data. Even so, those rules must first be defined to be enforced.
There is probably no way to completely secure data in the modern world, but there are plenty of sound ways to reduce the risk of data leakage — and a basic organizational DLP policy is one of them.