|
Leaking sensitive information can pop the balloon on your company's reputation. DLP tools can mitigate incidents and offer insight into where data lives.
It's the call you've feared. The phone rings at 9 a.m. on a Sunday. You're the CISO of a medium-sized retailer, and weekend calls aren't all that unusual. But within 30 seconds of picking up the phone, you know your weekend, if not your job, is over. One of the customer service managers accidentally emailed an Excel file of all the clients acquired last quarter to an external distribution list while trying to send it to his personal Gmail account to work on over the weekend. Worse yet, the file contains full credit card and verification numbers.
The really bad news? You recently signed off on your self-assessment for your Payment Card Industry Data Security Standard audit and affirmed that you don't keep card numbers in an unencrypted format. No one told you about the nightly database extract the customer relations team runs with the credit card number as the primary key. Your external audit is scheduled for next month, making this about the worst time possible for an accidental disclosure. It's not like you can blame this one on evil hackers.
This situation is hypothetical, but it illustrates the pressures companies are under. Data protection grows more critical every day as our sensitive information faces increasing scrutiny from regulators and business partners. It's no longer just a matter of keeping the bad guys away from data. Businesses now are expected to handle it responsibly, often in accordance with contractual or legal requirements. Yet the average organization typically has little idea of where its sensitive data is, never mind how it's really being used.
Over the past five years, a new category of tools emerged to address this problem. Data loss prevention (DLP) products help companies understand where their sensitive data is located, where it's going, how it's being used, and can sometimes enforce protective policies. The technology may not always stop evil hackers, but it offers considerable help in protecting a business from internal mistakes and in cost-effectively managing compliance.
Knowing where sensitive content is located protects the organization and may reduce the time and cost of audits; a company can prove that its data is appropriately secured and show real-time controls to detect violations. By gaining considerable insight into how data is communicated internally and externally, odds are that an organization will identify a number of risky business processes--like the above nightly database dump and use of personal email accounts. It also gains the ability to prevent accidents and eliminate bad habits, like improper use of USB drives. DLP won't make you compliant, but its combination of risk reduction, insight and potential audit cost reduction is compelling.
Yet while DLP tools have significant potential to reduce an organization's risk of unapproved disclosures of sensitive information, they are among the least understood and most over-hyped security technologies on the market. Organizations that take the time to understand the technology, define their processes and set appropriate expectations will see significant value from their DLP investment, while those that make snap purchases or set their expectations inappropriately high will struggle with this powerful collection of tools.
|
