Among the few security technologies that have received attention in the recent past is Data LossPrevention (DLP). According to a Gartner CISO survey, “data loss prevention (DLP) is a top priority for CISOs.” [1] The concept behind data loss prevention is defining a solution or process to identify confidential information, track the data when in transit, and enforce strategies to prevent the data from unauthorized disclosure. This is a great way to alert management and protect your critical information assets. Confidential data exists on a variety of devices, such as flash drives, physical servers, cloud servers, systems, mobile devices, endpoints, and moves through a range of network points. To protect all this data, various DLP solutions can be applied when the data is in storage, in transit, or on an external device.
Data protection is overwhelming, and here is a quick list of the do’s and don’ts of data protection to help make data protection policies for an organization.
Do’s:
Do know your risks and obligations
Every organization is different and hence has unique data protection obligations and amount of risk involved. No defined method would say, “one size fits all.” Therefore, it is essential that the policies for data protection are customized based on the risk involved and the company’s needs.
Do educate your employees
Data flows at different levels in the organization, and therefore, all the employees at all levels shall be kept in the loop. Data protection cannot be restricted at one point, it is scattered at all levels. Do train all the employees on policies and procedures, risks involved in data transfer, and be diligent with data protection law. Employees should be aware of the documents that are stored. Those no longer required should be shredded as waste or destroyed.
Do delegate responsibility
Data protection is a big task, and it is best managed when you delegate responsibility. You can appoint a capable person who is educated, trained, and experienced in ensuring confidential information. The designated person or team of people shall ensure that the data is not left unprotected and that surplus data is destroyed regularly.
Do encrypt files
Encrypting files is very important. When encrypted data is stolen, it cannot be accessed by any outsider unless the key to decrypt data lies with the receiver.
Don’ts
Don’t use information irresponsibly
It is not a good practice to use or allow others to use the data for any purpose other than what it was collected for. This will put the data collected at risk. Using the data for a reason which is not intended for can be considered a breach of privacy and confidentiality.
Don’t leave data unattended
Unattended data is easy to access to anyone. Never leave computer terminals unattended, not even for a few seconds. Never leave relevant documents, flash drives, external HDDs, etc., unattended. If something is not required, then it should be appropriately destroyed.
Don’t ignore security updates
No matter how busy you are, never ignore security updates and patches. Failure to update with the released patches leaves gaps in security, which can become a tempting vulnerability for any cybercriminal.
Don’t use official systems for personal use
Never use your office system for individual activities. The business security software may be prepared to defend and protect threats from the websites which staff members use, but not other websites beyond this scope.
Don’t ignore out of office security
If you are allowing your employees to do their work remotely, you should also be prepared to deal with the risk involved. Ensure that the remote staff is using required safety software products and are trained on cybersecurity processes.
Data loss prevention best practices
- Determine the most appropriate DLP deployment architectures based on your primary data protection objective. The main DLP deployment architectures are discovery, endpoint DLP, Network DLP, and Cloud.
- DLP is not only related to the security department, and the budgeting should come from different business units to help create awareness on how crucial DLP is.
- While outsourcing DLP, establish selection criteria for the vendors. Learn whether the vendors are equipped to provide data protection service with efficacy, about their deployment partners, time consumption for deployment, policies laid, etc.
- Clearly define the roles and responsibilities of the staff involved in the DLP process.
- Set objectives that are fast and measurable, with a clearly defined approach. Organizations usually complicate simple data protection process by attempting to solve too many cases at once.
- All the business unit heads shall work together towards data loss protection. This ensures that the business units are aware of the security policies and their impact.
- Document your process to onboard new members and release old ones. When the process is documented, it demands implementation by itself, and thus, you don’t have to invest resources every time a new employee joins or leaves.
- You should determine and monitor your key performance indicators (KPIs) closely to show the success of the DLP program. The positive impact of DLP and the business value shall be presented in the form of metrics after determining your DLP program and areas of requirement.
Installing a data loss prevention tool is the first step toward security. However, understanding that it is a continuous learning process will help achieve lasting goals.
EC-Council University offers Bachelor and Master programs in cybersecurity. The Bachelor of Science in Cybersecurity (BSCS) gives required exposure, builds cybersecurity skills, and develops leadership abilities that help any candidate to grow as a cybersecurity professional. Master of Science in Cybersecurity (MSCS) provides makes you expertise in desired skills and helps you in gaining domain knowledge to stand ahead in the competition.
Sources:
https://www.veracode.com/security/guide-data-loss-prevention
