An Ounce of Data Loss Prevention is Worth a Pound of Cure

September 16, 2017

So much has been written about the bad actors that break into organizations and steal valuable data. Has anyone heard of Equifax? The Latin root of this company’s name is “fax,” short for facsimile. Talk about a dinosaur of a name, and one that sort of infers the organization isn’t too current with technology. Well, this has proven to be true, and therefore, the truly worst actors must be the people inside Equifax itself. I don’t mean the crooked top executives. You have to blame the employees, right? Then again, maybe the executives are to blame because they know all about their stock value, but not so much about making sure their customers’ data was secure. Even worse, a lot of us aren’t even customers! Did you know the majority of this data about you and me – Equifax makes their money selling our very personal information without our approval or any type of compensation. Great business model. Thank you, Mr. Richard Smith, Equifax CEO.

This isn’t what I want to write about today, though. The conversation turns to what can organizations do to protect themselves from themselves. Employee behavior, whether malicious or unwitting, is certainly the doorway to loss into most organizations. Yes, we tend to give our crucial information away like upcoming Halloween candy. Trick or treat? Hey, there is no trick to being stupid!

This turns our attention to the concept of Data Loss Prevention (DLP). DLP is both a business strategy and software technology for making sure that end users (employees) do not send sensitive or critical information outside their corporate network. I’ll discuss the technology aspect below.

Software today can inspect information throughout an organization, large or small. This information is then dynamically classified and policies are dynamically applied. That sounds pretty technical, so go back and read that last sentence again. Software examines all of your data, and then depending upon the organization’s policies, the software decides what can and cannot happen with that information. It is all super-fast and invisible to employees.

How does it work?

With DLP, for example, if a top executive attempts to send an email containing social security numbers outside the organization, “Sorry, Boss, it just won’t go outside this organization.” According to Microsoft, an astounding 87% of corporate executives have accidentally leaked corporate data. If a staff member in Human Resources erroneously attaches a payroll spreadsheet to an email destined for a B2B partner, “ALERT! The data you are sending is highly sensitive and has been blocked.” Simple.

Why isn’t DLP more widely used?

There are some common themes among larger customers who do not invest in DLP:

  1. On a high level, larger organizations are extremely slow to adopt technology they need because top executives do not have the confidence to know what is best. They simply do not take the time to understand it.

On a level down, the technical professionals reporting to the above executives are not provided with the budgets they need to deploy preventative technologies. By the way, technical professionals really hate change because adopting new technology is a painful learning process for them. They might perform a single DLP initiative in their entire career. It is a sophisticated deployment. This all sets the stage for what follows.

This happens every day with larger “enterprises:”

On a typical day, bosses are impatient. They want everything done yesterday, and they really don’t understand how much work goes into their peoples’ work. Follow this…

  1. A mid-level, star employee gets an email from the boss. Sometimes the boss’s demands come from the boss’s personal email account. Not this time, though. He wants a PDF of the top 100 customer information – This has everything in it including account names, how they pay with bank account numbers, key contacts, phone numbers, tax ID numbers, everything.
  2. He replies, “This will take probably twenty minutes.” The boss needs it right away before he catches a flight. The star employee doesn’t annoy the boss with any more questions. He doesn’t waste a second showing the boss how efficient he is.
  3. Twenty minutes later, the information is delivered.
  4. Later that day, the star employee had a sinking doubt. He went back and looked at that email from the boss. It looked right displayed in the mailbox, but when he opened the email and carefully examined the “From;” inside the actual email [this is the un-spoof-able “Header” in every email], he realized he had been the recipient of a LIVE phishing attack. This wasn’t a benign, “click on an Amazon gift card” SPAM phishing attack. Re-read #4, it really is not as complex as it seems, first reading.
  5. This was an active, live event. Like I said, this happens every day. (Phishing is an email that looks like it comes from a trusted source that attempts to get the recipient to give up your own valuable information.) If he just took a little more care, it was obvious.
  6. If the company had a DLP strategy, he would not have been allowed to give up the data.

With an effective DLP strategy governed by the business, implemented by IT, and communicated to your staff, catastrophic and embarrassing data leaks are prevented. This occurs in real-time, no need to scramble the jets, put out fires, or summon your counsel. The philosophy behind preventative data protection and proactive risk management should be the cornerstone of every organizations modern IT Policies.

Everyone wants to be productive, work efficiently, and perform to the best of their abilities, however with hectic schedules and cross-departmental collaboration, mistakes can be made by good, honest workers who may have simply clicked A instead of B or typed “Apple” instead of “Banana.” Allow your workers to feel safe and secure, empowered and focused, knowing there are safeguards in place in case a mistake is made. Mistakes happen.

Executives everywhere, you must be aggressive, informed, and vigilant. That’s your job. Protect the fort! You don’t want to end up like Richard Smith, selling your shares before you publicly disclose the fact you were caught with your pants down!