Stopping the leak

May 2015 Information Security

In today’s globally connected world, data enters and leaves cyberspace at speeds baffling to the human mind. A mere 45 years ago, Apollo 11 landed on the moon, and since this historic event, advances in the world of cyberspace have raced ahead to unprecedented levels.

Mohsien Hassim, security services business unit manager, Datacentrix.
Mohsien Hassim, security services business unit manager, Datacentrix.

Enterprises today receive millions of e-mail messages and data files daily, containing sensitive data including the records of customers, business partners, shareholders, staff members, and more. With the advent of cloud technology, an organisation’s fear of losing data is amplified if its critical data is hosted outside by a third party and not within their total control.

It is a fact that, in today’s complex business world, data is seen as the new currency and can be attributed with a monetary value. However, the damage that data loss can do to an inadequately secured enterprise extends far beyond pecuniary matters, and can include reputation loss, regulatory consequences, a decrease in customer confidence, trust issues, a drop in market share, and the development of trade barriers.

A company that holds the sensitive data of customers, business partners and regulators needs to come to terms of with the responsibility of securing this information. Unfortunately, businesses constantly fall victim to massive data loss and high-profile data leakages involving sensitive personal and corporate data continue to appear, but are often not publicised, especially in South Africa. This is something that will change when the Protection of Personal Information (PoPI) Act, which highlights the importance of management and control over data, comes into full operation, meaning that organisations need to take measures to understand the sensitive data they hold, how it is controlled, and how to prevent it from being leaked or compromised.

In order to do this, it is important to understand what data loss really is. Data loss can be divided into two overlapping categories – leakage and damage. Leakage occurs when sensitive data is no longer under the organisation’s control (such as a loss of confidentiality due to for hacking or identity theft). Damage, or the disappearance of data, occurs when the correct data copy is no longer available to the organisation, resulting in a compromise of integrity or availability.

Types of data

Data is generally found is three modes: at rest; in motion; and in use. Data at rest includes data that resides in files systems, distributed desktops and data stores/databases; data in use refers to data that is being used in endpoint devices like mobile devices, USB drives and other endpoint devices; and data in motion denotes data that moves through the network to the outside world via e-mail, instant messaging, peer-to-peer (P2P), FTP, or other communication mechanisms. As the digital world evolves and technologies converge, the types of solutions used to move data will become more complex, requiring different treatment of data management.

Data Loss Prevention (DLP) is a strategy to ensure that end users do not send sensitive or critical information outside of the corporate network. This type of technology requires proper planning and even more importantly, precise implementation. DLP is a complex issue with no single effective solution; in essence, each organisation has its own challenges, business needs and risks mitigation strategies. This requires a con­tinuous assessment of DLP requirements on an ongoing basis.

It is imperative that organisations realise that their greatest assets are their people. Unfortunately, people are also a weakness in the system. Creating awareness around the correct management and use of data is a critical element in mitigating risks around data loss. Security awareness training should be mandatory for all staff (including management), thereby establishing a common baseline of security knowledge and removing the “I did not know” mind-set.

Three pillars

DLP focuses on the three pillars of data security: monitor; protect; and discover. When selecting a DLP solution, it should not interrupt business activities and should operate without deteriorating system or employee performance. DLP products generally come with built-in policies that are already compliant with the relevant compliance standards like PCI, HIPPA, SOX and so on, but alignment between the organisation’s needs and these policies is required.

The key element for a successful implementation of a DLP strategy and subsequent implementation project is to identity the data that needs protection. Adopting a blanket approach across the entire organisation will not work, as the outcome will in a large number of false positives being generated.

Key steps to be adhered to in a DLP strategy roll-out must include:

• Data identification - where all confidential and restricted data across the entire organisation is recognised and categorised into the three data classes.

• Policy definition - which will help protect the sensitive data identified. Every policy must consist of some rules, such as to protect credit card numbers, personally identifiable information (PII), and identity numbers. The DLP policies at this stage should only be defined and not applied.

• Identify information flows and data business owners - an organisation can identify its business information flow by preparing relevant questionnaires to identify and extract all the useful information. It is imperative to identity the business owners of the data as this forms an important step in the planning strategy of DLP. Preparing a list of notification recipients in the case of the loss of sensitive data is crucial.

• Deployment scenarios - deployment follows the three categories (modes) of data, and requires strong technical and deep project management skills for success.

The multitude of DLP products in the marketplace makes it difficult for an organisation to make its choice. These guidelines should assist in this selection process:

• DLP is a business requirement not an IT issue, the PoPI Act is clear on this, so check whether there is a business need for a DLP product or service.

• The identification of sensitive data or restricted data is a critical element in the DLP exercise. With proper data identification, unwanted false positives will be generated resulting in a waste of time and money. This is an important element of the DLP strategy.

• The DLP product must support the data formats of the environment.

• The fine-tuning of DLP policies will be required in the DLP operations.

• Regular updating of risk profiles and documentation will be required during the DLP exercise as DLP incidents are reported – this is the feedback loop of the exercise.

• Buy-in from senior and top management is a key requirement, and something that will be supported by the PoPI Act, so employ an executive sponsor.

DLP can offer great benefits to an organisation as with greater insight into, and thus control over its sensitive data, data management policies can be revised and ability to manage the risks that relate to data – a key asset – is significantly improved. After all…data is the new currency.

For more information, please visit www.datacentrix.co.za





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Deception technology crucial to unmasking data theft
Information Security Risk Management & Resilience
The ‘silent theft’ of data is an increasingly prevalent cyber threat to businesses, driving the ongoing leakage of personal information in the public domain through undetected attacks that cannot even be policed by data privacy legislation.

Read more...
Data security and privacy in global mobility
Risk Management & Resilience Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Read more...
Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Read more...
The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Read more...
Navigating South Africa's cybersecurity regulations
Sophos Information Security Infrastructure
[Sponsored] Data privacy and compliance are not just buzzwords; they are essential components of a robust cybersecurity strategy that cannot be ignored. Understanding and adhering to local data protection laws and regulations becomes paramount.

Read more...
AI augmentation in security software and the resistance to IT
Security Services & Risk Management Information Security
The integration of AI technology into security software has been met with resistance. In this, the first in a series of two articles, Paul Meyer explores the challenges and obstacles that must be overcome to empower AI-enabled, human-centric decision-making.

Read more...
Milestone Systems joins CVE programme
Milestone Systems News & Events Information Security
Milestone Systems has partnered with the Common Vulnerability and Exposures (CVE) Programme as a CVE Numbering Authority (CNA), to assist the programme to find, describe, and catalogue known cybersecurity issues.

Read more...
Access & identity expectations for 2024
Technews Publishing IDEMIA ZKTeco Gallagher Salto Systems Africa Regal Distributors SA Reditron Editor's Choice Access Control & Identity Management Information Security AI & Data Analytics
What does 2024 have in store for the access and identity industry? SMART Security Solutions asked several industry players for their brief thoughts on what they expect this year.

Read more...
Prepare for cyber-physical attacks
Gallagher Information Security Access Control & Identity Management
As the security landscape continues to evolve, organisations must fortify their security solutions to embrace the changing needs of the security and technology industries. Nowhere is this more present than with regard to cybersecurity.

Read more...
Zero Trust and user fatigue
Access Control & Identity Management Information Security
Paul Meyer, Security Solutions Executive, iOCO OpenText, says implementing Zero Trust and enforcing it can create user fatigue, which only leads to carelessness and a couldn’t care attitude.

Read more...