Data Loss Prevention: it’s a people business

By Gagan Bhatia, Head of Security Delivery, 10x Banking

Of course, everyone takes data loss prevention seriously.

Primarily because they have to.

Regulations such as GDPR, HIPPA and PCI-DSS mandate service providers to implement controls preventing data from unauthorised access or unwarranted loss. It stands to reason and it’s the right thing. Regulators provide guidance, however, do not mandate the implementation details which is where the fun begins and why most folks turn to tooling next.

And we believe that is a problem. Not because tools aren’t great and much needed. They are both great and needed. But because tools are only as effective as the use you put them to, and one size doesn’t fit all. Also, if you work in the modern ecosystem such as cloud investigate realistic opportunity and threats the environments provide you before making decisions

The biggest threat to data security is people, of course it is. But so is the biggest asset for its protection. So, pause, before rushing to procurement. Pause before you spend time, money, and energy on tool implementations.

If the aim is to build a thread of ‘digital trust’ with your client as well as meet regulatory requirements, our advice is thinking before you act. Because DLP (data loss prevention) is not just about a tick in the box of things *not* going wrong. It’s rather about a nexus of processes, controls and strategic decisions managing a multitude of risks.

The first step is all about you and your business, your data, and threats not the tools.

The first step is to identify the data you must protect, the data you want to protect in addition to the above and then ensure that you have captured every aspect of that data. Then and only then can you start thinking about how you will go about protecting it. And what from.

The first step is often fudged but we maintain it is not optional. Poor Data loss prevention implementation because the first step was rushed is not uncommon so spend the time to be sure you know the population of data you are protecting. Stating the obvious here, but that will change your approach, so it matters.

Work with your clients, internal security team, data protection officer (if you have one) and define the data which is sensitive to your organisation.

Not everything is as important. Don’t fall in this trap, focus on your crown jewels, and build on top of it.

Once you identify what data you want to protect and have gone 3 rounds on what is in and what is out of that category, you need to work out the mechanics: where the data lives, who is allowed to access it and under what conditions and of course and above all… what are you keeping this data safe from? What are the threats you are anticipating? Do they change depending on whether the data is in storage or in use or in motion? (Hint: they always do).

But we should be weary of false prophets.

Most provider claims that they offer an easy path to compliance, but implementations are not easy, and they entail a lot of strategic decisions that go back to what you are trying to do.

Will you encrypt everything at rest and transit, of course you should, and this is something which tools don’t like much however they won’t say this in open. You end up making a difficult trade-off by either granting the decryption keys to the tools or ignore the encrypted data (mostly later)

Will you use a rule or dictionary-based solution and tweak and customise as you go, leaving analysts in a never-ending game of whack-a-mole while training the system?

Will you invest in detective solutions?

There are no right and wrong answers. Only answers that are right and wrong for the context of your business, the data you are trying to safeguard and the threats you anticipate. And that’s before you’ve even looked at the cost of some of these solutions that may be forbidding for your business. These are not cheap bits of kit.

Thanks for nothing, we hear you say. So, what should I do instead?

Well. Spend as much time on the early conversations around what data you will focus on and what threats you will seek to prevent.

Always think prevention ahead of detection/reaction. You might need both type of controls however in our experience focussing on former gives you better overall prevention.

Then invest in your processes. Make sure you have active vulnerability management.

That means know your vulnerabilities and manage them.  And remember that some of the steps you need to take don’t need sophisticated tooling as much as consistent implementation. Access control is still your best defence against data loss. Ultimately, focus on what you are protecting and what you are protecting it from is about your awareness and proactive management. The tools are there to help you do it, once you are clear what it is you need to be doing. Not the other way round.

Hot Topics

Related Articles