Frank Schlottke: 10 Golden Rules of Data Loss Prevention
April 2008 by Frank Schlottke
Frank Schlottke at Applied Security provides 10 tips to avoid embarrassing and potentially damaging data loss.
Losing company data, whether at the hands of a hacker or accidentally is highly embarrassing. And if that data contains sensitive information such as customers’ personal details, legal action and media coverage can lead to financial loss and irreversible reputational damage. But it doesn’t have to be that way. Here are ten rules that will dramatically reduce your risks:
1. Identify data that needs protecting
Data classification is vital. For example, management data may include sales figures, strategies and contracts, while HR holds employee records including bank account details; and R&D stores crucial design information and intellectual property. Prioritise data from most to least important.
2. Know the threats
Identify who has potential access to confidential information – from employees to partners and outsiders. And be aware that while firewalls can protect against hackers, a second line of defence is needed to be safe.
3. Don’t be overconfident
If you think you are untouchable, think again. With so many highly regarded organisations from Marks & Spencer to HMRC losing data, expect the unexpected and learn from others’ mistakes.
4. Identify data channels and how to protect them
Most sensitive data, like personnel records and strategy documents, originate from a PC or laptop and is stored on hard disks, file servers, USB drives or CDs. So, it is more efficient to protect the data itself using encryption, rather than the device or channel.
5. Define central policy management
Grant access rights to data on a ‘need-to-know’ basis, ensuring that even IT administrators can only see files that they are authorised to see. Don’t forget that access rights may need to be taken away or amended if an employee leaves or changes roles.
6. Consider the human factor
Complicated security can lead to human error, increase workload and slow down processes. So, when choosing a vendor, make sure that each feature of a solution adds to security seamlessly, rather than increases complexity.
7. Be aware of your legal obligations
There are a wide range of legislative and legal requirements regarding data protection. Failure to take preventative measures can lead to managers and company directors being found personally liable.
8. Remember recovery mechanisms
If an important file is accidentally deleted it can usually be recovered. But if the key to an encrypted file is lost, so is access to the data. Your encryption solution should have intelligent recovery mechanisms, such as one time passwords to tools that can recover encrypted material, even if all keys are lost.
9. Prioritise risks
The choice of security solution should be based upon perceived risks to the organisation from financial to reputational. Weeding out the ‘nice to haves’ from the ‘must haves’ means that it’s easier to find the best fit solution.
10. Accept that data protection is worth the investment
Data loss prevention is no easy feat, otherwise it would be inexpensive and security breeches would be rare. IT security is complex and requires specialist knowledge. Once this is accepted and the process is carried out properly, the benefits will far outweigh the investment.
Following these top ten tips will help your organisation to avoid common mistakes and you will avoid becoming front page news for all the wrong reasons.