Nov 11 2008

Cut Your Losses

Data loss prevention software can plug security leaks and force end users to change careless habits.

In too many cases today, companies succumb to the pull of gravity and fall into the data loss trap. The threat from data loss is now so serious that a recent IDC study found that inadvertent exposure of confidential information has replaced Trojans, viruses and other malware as the leading threat to corporate IT security.

Companies in heavily regulated industries such as financial services and health care, traditionally very protective of their sensitive data, are in the forefront of this fight. But no vertical market is exempt, nor is the threat of data loss the exclusive province of big corporations.

Let’s start with the National Rural Utilities Cooperative Finance Corp., based in Herndon,Va. This privately owned, 250-person firm, which provides financing services to rural electric companies, is small by design but must confront the same urgent data protection pressures that its much larger counterparts face.

“Can my company get hurt, embarrassed or lose money as a result of some corporate record leaving the company?” asks Mike Carr, vice president and CIO at National Rural Utilities. “Are we in violation of some law if some record gets exposed?”

These questions are driving businesses like Carr’s to take proactive steps to stop data leaks and cut their losses. Along with data security technologies such as disk or e-mail encryption, which safeguard data privacy by making content unreadable, companies are employing data loss prevention (DLP) solutions from a host of manufacturers — including Check Point, McAfee, Sophos, Symantec and Trend Micro — that can detect and intercept proprietary information before it’s leaked.

These tools are aimed at companies that have a need to reassure customers that their data is safe and protect their own intellectual property from exposure. National Rural Utilities uses a combination of whole-disk encryption and best-of-breed security solutions to plug the gaps.

Farmers National, a farm management and real estate company based in Omaha, Neb., began exploring its options for data loss prevention when its customers began asking for proof of security before signing up with the company.

With 80 of Farmers’ 200 staff members in the field, mobile devices add a special challenge. The company uses whole-disk encryption on its mobile computers and is considering signing on to a mail encryption service to protect sensitive outbound data from loss.

“Security has become a higher priority for our customers. This makes it easier to budget for it,” says Scot Wolcott, Farmers National IT director.

Two Flavors

So how does DLP technology work? These solutions take one of two approaches: either simply monitoring and reporting on data traffic in a passive mode or actively intercepting proprietary records before they are lost or leaked.

96% of all data leaks can be attributed to insufficient business processes or an oversight by an employee.
Source: Symantec’s Vontu Risk Assessment research

The first approach is a gateway-based system that looks at data in motion, scanning e-mail and instant messages for policy violations. The second is an end-point solution that performs a similar function, but because it sits on the end user’s system, it can protect data when the user is outside the corporate firewall. Both types, which can be used together to provide layered security or as discrete solutions, assess internal and external communication looking for confidential or otherwise sensitive information that should not be viewed by unauthorized users. A host-based DLP system also can monitor and block data transfers to storage peripherals such as USB flash drives.

Manufacturers are introducing tools that scan business environments, looking for any data that should be specially protected. National Rural Utilities’ Carr advises that one good way to start implementing a DLP strategy is to inventory enterprise data to determine which information requires specific safeguards. This helps the company focus its security efforts on protecting that information by setting policies and practices about how sensitive data should be accessed, stored and transferred.

Many businesses also find that host-based DLP solutions can play an invaluable role in making policies more relevant to end users.

“We find that a lot of customers use [host-based] DLP solutions to alert their employees they might be doing something that violates policy,” says Brian Burke, program director for security at IDC. Burke says these tools can notify an end user of potential breaches before they store proprietary data on a thumb drive or send a message with confidential customer information to an unauthorized user.


What is the main reason your company is looking at a data loss prevention program?

23% We need it for regulatory compliance.
41% We have no plans to deploy.
16% We’re at greater risk for data leaks.
15% The technology is more widely accepted.
5% Don’t know

Source: CDW poll of 577 BizTech readers

This offers businesses an invaluable training tool to curb what can be potentially costly data losses, and can alleviate what is probably the single biggest source of data loss: human error. As National Rural Utilities’ Carr observes, most data leaks aren’t the result of a theft or even intentional misuse, but rather end-user negligence. “So what you are really doing is protecting yourself against careless behaviors,” he says.

This can help close the reality gap between corporate policies and actual end-user practices. Organizations such as San Diego-based Sharp Healthcare see a significant disconnect between securitytraining and employees’ day-to-day actions. Starla Rivers, Sharp Healthcare’s technical security architect, says DLP solutions can help make policies pertinent to end users by notifying them immediately when they violate a policy and providing them with a link to information outlining proper procedures.

While an increasing number of large enterprises are adopting DLP solutions, many small companies are still reticent to deploy the technology. Broadly speaking, while most DLP software comes with policy templates based on common industry regulations and government mandates (such as Sarbanes-Oxley) to ease setup and expedite deployment, SMBs still shy away from DLP because of concerns about management complexity. The need for straightforward systems that let IT managers set policies and monitor DLP activity from the same screen where other security functions are handled is driving manufacturers to offer centralized consoles from which IT can manage discovery, set policy and protect data against leaks.

Cost concerns are also keeping many SMBs at bay. Carr, who uses a mix of best-of-breed solutions to protect his organization from data seepage, admits it can be a challenge for a small business like his to justify the expense.

However, he says, once a company weighs the cost against the benefits, the answer is clear: “Our cost of ownership is very high per capita, but it is worth every penny because we have a high degree of confidence that we are on top of it.”

CEO Takeaway
Here are the main advantages of DLP technology:
• Automates data handling in accordance with corporate policies. This will minimize IT intervention and reduce support expenses.
• Eliminates remediation costs related to data theft or exposure. Reduces expenses from lawsuits and compensation to customers and partners, as well as from lost business.
• Demonstrates compliance with government and industry regulations by documenting data protection.