Data Loss Prevention: The Business Case PDF

Document Details

ReadableArlington

Uploaded by ReadableArlington

University of Kansas

Lior Arbel

Tags

data loss prevention cybersecurity information security business strategy

Summary

This document discusses data loss prevention (DLP) and its business case, covering various aspects of DLP solutions and their benefits. The author, Lior Arbel, analyzes common security challenges and outdated approaches, recommending modern strategies for DLP implementation.

Full Transcript

FEATURE Data loss prevention: the business case Lior Arbel Lior Arbel, Performanta A recent PwC ‘Global State of Information Security Survey’ showed that the total number of security inc...

FEATURE Data loss prevention: the business case Lior Arbel Lior Arbel, Performanta A recent PwC ‘Global State of Information Security Survey’ showed that the total number of security incidents detected by respondents climbed to 42.8 million in 2014, an increase of 48% from 2013.1 It’s clear that, more than ever, governments and businesses are being fined for data breaches that could and encrypted data, its destination can be should have been avoided. discovered, which allows a company to determine the appropriate response. As a result, businesses today are turning to Cyber-criminals have long had the abil- Data Loss Prevention (DLP) solutions to ity to take existing malicious functionality Didn’t want to know protect business-critical data. While each and obfuscate it to evade security solu- deployment is commissioned for a variety tions. This presents a large problem. If DLP solutions provide greater visibility of reasons, all of them will have three com- one attack is successful, and obfuscates but this has not always been a desir- mon objectives: to increase productivity; itself within the network, it could spread able quality for some businesses. In the assert control over data; and facilitate cost undetected throughout the network, past there was an attitude – especially savings. DLP is now undoubtedly a neces- targeting critical data. However, as the in some smaller companies – that if you sary and business-critical part of a modern major point of hacking is to steal infor- weren’t looking for a breach then you company’s IT infrastructure. mation, the data still has to leave the net- couldn’t discover one – the significance This article will offer some insight into work, which is when it can be detected. being that they would not have a legal several aspects of DLP solutions including Critically, a DLP solution can expose obligation to report it and therefore an overview of the different type of DLP sensitive data in transit. For example, if suffer any repercussions. processes, the business benefits gained there is an attacker who has breached This is becoming increasingly unac- from deployments, as well as provide some the network and is sending a file out, the ceptable as an attitude as the costs of a business advice for general investment in programs will likely use a non-standard hacking scandal are far greater than just cyber-security systems and policies. encryption method. By tracking the the fear of being fined. Take for instance An outdated approach For many years, the information security market focused on protect- ing an organisation’s network from the Internet. The assumption was that all incoming traffic from the Internet is potentially malicious and therefore needs scanning. While that has some merit, a contrasting approach was applied to outgoing data which was usu- ally left untracked. Companies believed that if they could protect themselves from incoming threats, none of the outgoing data was at risk. However, Ernst and Young’s ‘Global Information Security Survey 2014’ concluded that 56% of organisations were unlikely to The total number of security incidents reported by respondents to the PwC ‘Global State of Information Security Survey 2014’. detect a sophisticated cyber-attack.2 13 May 2015 Computer Fraud & Security FEATURE New hybrid approaches, where both the business and the security teams work on the DLP system, have led to some very successful implementations. As a result, organisations can rectify security issues by providing the business visibility to information that leaves the organisa- tion, as well as creating a greater aware- ness of some of the bad business process- es operating within the company. Communication can often be the most important factor in encouraging business buy-in to the security process. Often other sectors of the business are not aware of the threats faced by the security team on a regular basis. If, for instance, an IT manager or a CIO/CSO prepares a weekly security threat email for the company or C-level executives, it can lead to greater awareness of the challeng- es of securing the company from market threats. That, coupled with regular secu- rity workshops, can increase the security IQ of the company. At the planning level this approach can increase CEO and board buy-in to security invest- Answers to the question: ‘Which statement best describes the maturity of your threat intelligence ments and at the day-to-day level it can programme?’. Source: Ernst & Young ‘Global Information Security Survey 2014’. increase the company’s resilience to com- the recent Sony hack: over 100TB of failure of projects that ran longer and mon attacks by educating employees to internal company data and sensitive required larger costs than anticipated. spot the many basic types of attack. employee information was taken from In fact, the best approach to this prob- the company servers. This not only lem is to start small and then expand DLP methods cost the company revenue (a reported the scope of the programme as required. $15m), as details about its upcoming Identify and protect the most critical There are several methods and processes films were leaked, it also lost the firm data first and then slowly expand the that DLP solutions use; this is a quick employee and customer trust, as well as programme. The secondary benefit of overview of some of the key solutions. requiring a large amount of managerial this is that the first successful implemen- Data categorisation is used to determine time to communicate with employees tation provides a business case for secur- which data needs heightened levels of and the media to respond to the crisis. It ing continued expansion, rather than security and what does not. As outlined has since resulted in co-chairman Amy pitching for a large upfront investment. earlier, this process does not need to Pascal resigning from the company. DLP solutions are deeply entwined include all of your data – instead a small with the business process and therefore proportion of critical files can be tracked All or nothing need business engagement. Any legacy that are then given extra levels of moni- issues with DLP were due to lack of data toring and protection. This system is One of the biggest misconceptions of education and strategy. When DLP was useful as it provides a method for moni- DLP implementations is that it is seen as originally developed, people thought toring the use of crucial company infor- an all-or-nothing project. It was assumed that it could be treated like an Intrusion mation and can quickly detect a misuse that businesses would have to categorise Detection System (IDS) and be given that can alert the IT team to a breach. all of the company data at the start of the to the IT teams as a data loss solution. User profiling creates dynamic user project, which could be very costly and However, due to the nature of DLP, it profiles that can track regular activity take up a large amount of time with no requires business input to determine and use this to detect when abnormal results. This could and did lead to the what data is critical. activity occurs, which could suggest a 14 Computer Fraud & Security May 2015 FEATURE breach. For example, if a member of the which benefits employees. Traditional and proactively dealing with employee creative team only accesses the creative security solutions were designed to and public concerns. drive for months but then begins access- block data based on the source, destina- A proper security policy to deal with ing the finance drive this can raise a red tion and channel. This is an inflexible the after effect of a cyber-attack can flag and the account can be investigated. approach which does not take into help mitigate the crisis and deal with the There are also other tools avail- account the modern dynamic of the web fallout for a company. It can help shore able such as tracking outgoing data and social media. Employees want to up the trust of the public and inves- and restricting access to critical files. be able to access social channels while tors and, as seen in the Sony case, help However, as with any good security pro- at work, yet security teams are reluctant with employee concerns as well. There is gramme it is important that these are to allow this as it would be possible for always a danger in a crisis that different deployed in tandem with an education sensitive files to be shared from personal managers will not want to take respon- programme. This will ensure that secu- email accounts. However, DLP solutions sibility in case the situation worsens; rity incidences are not raised accidentally make it possible to control what data is this is truer in security crises as often by employees as these false alarms will being shared, which allows the company the damage has already been done. One have to be investigated and could lead to to feel secure in offering more flexibility of the main benefits of a policy plan is delays in spotting the real threats. in its security policies. to counter this ‘responsibility football’ game and to assign specific responsibili- Business benefits from “DLP solutions can aid a ties to specific people giving the entire company in compliance with company continuity and direction until deployment regulations and also help the crisis has passed. DLP solutions and data management with reporting breaches, as it tools bring broader business benefits can track the destination of Conclusion beyond the security space, which can the data and determine the aid in making a strong case for their extent of the attack” It seems that barely a week goes by with- deployment. The visibility created over out yet another report appearing in the the movement of company data can Ultimately, these additional benefits media about a high-profile leak of con- aid you in determining the weaknesses are secondary to the necessity of protect- fidential data – and what makes it into in your system. It can also help you in ing critical company information, how- the news only represents a fraction of exposing erroneous business practices. A ever, they are a useful addition for accu- all the incidents that occur, with many good example comes from a telco pro- rately demonstrating the benefits that a businesses hushing this up within the vider that installed a DLP solution and DLP solution can bring to a business. organisation. There is most definitely a discovered more than 30 questionable need in most companies for an increase processes of which no-one was aware. Implement a in awareness of threats and responsibility Gains can also be made when dealing to protect business-critical data. with compliance regulation as there has cyber-security policy CIOs and CSOs need to ensure that been a recent increase in planned legisla- To return again to the recent Sony hack, they are building a proper business case tion for data protection within the UK, we can praise Sony’s response in how it for the implementation of security tech- the EU and globally – for example, the dealt with communicating the attack to nology. Getting buy-in from each level proposed EU Data Protection Regulation its key stakeholders and the public. There of your company to the security process that will see larger fines imposed on were regular communications between and educating your workforce is a criti- companies that suffer a breach than managers and employees and regular cal line of defence against the most com- current regulations. DLP solutions can meetings of upwards of 500 employees at mon of attacks. aid a company in compliance with this a time in special clinics to inform them of This is the time for organisations to regulation and also help with reporting dangers posed to their personal informa- begin implementing, reviewing and breaches, as it can track the destination of tion. This demonstrates that Sony did enhancing security procedures. Do not the data and determine the extent of the have a plan to mitigate the after effects of wait for there to be a successful attack and attack. An additional benefit is that it can a cyber-attack. Other companies suffering to suffer the loss of revenue, customer help reduce the premium on your cyber- from similar attacks in the future should trust, and the potential loss of critical data. insurance which is growing in prevalence put plans in place now to emulate Sony Security requires constant vigilance as the danger of cyber threats increases. in responding in a structured way, calling and an active approach and this is grow- Adopting DLP solutions can also lead in a security consultancy to help manage ing more pressing as the world becomes to a more flexible security environment, the breach, reporting it to the authorities more connected. Organisations can 15 May 2015 Computer Fraud & Security FEATURE benefit from DLP solutions in various has more than 15 years’ experience in IT Apr 2015. www.pwc.com/gx/en/con- ways and should view it as an investment. security. Prior to Performanta, he worked sulting-services/information-security- Organisations simply cannot overlook at Websense as global lead of its DLP solu- survey/key-findings.jhtml. DLP technology and procedures – it is tion specialising on large enterprise pro- 2. ‘Global Information Security vital to protecting sensitive data, main- jects. Previously he worked for eight years Survey 2014’. Ernst & Young. taining the trust of your customers and on security for IBM Israel where he led an Accessed Apr 2015. www. your competitive edge in the market. IBM Global Services security team. ey.com/Publication/vwLUAssets/ EY-global-information-security- About the author References survey-2014/$FILE/EY-global- Lior Arbel is the CTO of Performanta, a 1. ‘Global State of Information Security information-security-survey-2014. specialist information security firm. Arbel Survey 2014’. PwC, 2014. Accessed pdf. Bitcoin – payment method or fraud prevention tool? Akif Khan Akif Khan, Bitnet It is no secret that e-commerce is the fastest growing retail sector in Europe. Tales of woe for the traditional high street have been on front pages through- out the land since the infamous demise of Woolworths back in 2009. The Centre for Retail Research predicts that online sales in the UK, Germany, Leading the way is the trend for remote France, Sweden, the Netherlands, Italy, Poland and Spain are expected to purchase fraud, generally referred to as grow from £132.05bn in 2014 to £156.67bn this year, reaching an anticipated ‘card-not-present’ (CNP) fraud. By far, £185.44bn by 2016.1 most instances of this type of fraud involve the use of card details that have been The UK is by far Europe’s leading online 12 months.2 Online fraud against UK fraudulently obtained through methods shopping economy with spending by retailers totalled an estimated £105.5m such as skimming, through digital attacks British consumers online growing by in 2013, a rise of 4% on the previous via malware infections and data hacks, or 16% in 2013 to reach £91bn. Card pay- year. However, there has been a sub- through unsolicited emails or telephone ments have so far been the main driver stantial increase in fraud against online calls to the less savvy members of the com- of this growth and provide the most retailers based overseas, rising 48% to an munity. The card details are then used to effective way to pay online. However estimated £57.8m. undertake fraudulent purchases over the with them come a number of challenges Fraud losses on UK cards totalled a Internet, phone or by mail order. for the industry that is increasingly beset staggering £450.4m in 2013, a 16% with the evils of fraud. increase from £388.3m the previous FBI on the case year.3 At the same time, total spending on Fraud-related issues all debit and credit cards reached £520bn Of course, the prevalence of fraud is in 2013, a rise of 6.7% on 2012, with not confined to these shores. The US Unfortunately, with the increasingly 10.7 billion transactions made in the year. Federal Bureau of Investigation’s (FBI) widespread consumer acceptance of Overall, card fraud losses as a proportion Internet Crime Complaint Centre purchasing online with traditional credit of the amount we spend on our cards has (IC3) carefully monitors the most and debit cards, fraud is also grow- increased steadily, from 7.1p in 2012 to common scams being used online for ing at an alarming rate, with 85% of 7.4p for every £100 spent. The number fraudulent activity. While it stops short online merchants expecting fraud to of single transactions during this period of detailing the true volume and scope either stay static or grow in the next rose by over half a billion. of cybercrime, it does highlight the 16 Computer Fraud & Security May 2015

Use Quizgecko on...
Browser
Browser