During a September speech, White House Cybersecurity Coordinator Michael Daniel suggested the U.S. needs a new approach to cybersecurity.
“We haven’t fully confronted cybersecurity as a human behavior and motivation problem, as opposed to a technical problem,” Daniel said. “Until we understand the human factors, we will continue to fail at solving this problem.”
He could have extended his comments to data protection or information privacy, because in many cases, companies are still relying solely on technological approaches to safeguard personally identifiable information (PII) and sensitive corporate data from data leakages (accidental “seepage” of data into potentially unprotected areas), or data losses—intentional or unintentional loss of data availability.
Today's 21st-century data protection officers require a holistic approach that combines the use of information-security tools and technologies; employee behavioral modification training that reinforces good behavior, and effective policies, procedures and standards as part of their data protection or information privacy programs. Data loss prevention (DLP) is such an approach.
Many companies lack an effective approach to categorizing, classifying, protecting and monitoring the status of their PII, intellectual property (IP) and other sensitive corporate data for which they are responsible. Sadly, most companies only realize the ramifications of poor DLP practices after experiencing a data breach.
Data leakage poses a significant threat because of the unauthorized leakage of PII, IP and sensitive corporate data into areas either outside of a company’s control or into areas that do not offer the data the essential protection it requires, sometimes rendering it unavailable for its intended use by the company. Data loss poses an even more significant threat when it results in a loss of data integrity or data availability. Given the increasingly damaging data breaches that have occurred since January of this year, companies of every size must aggressively and proactively mitigate the impacts of data leakage and data loss on their bottom lines. Otherwise, they will face greater investment, legal, operational and reputational risks in the near future.
DLP mitigates those risks. It assists data protection and information security professionals in jointly “detecting and preventing the unauthorized transmission or disclosure of sensitive data.” It allows these professionals the ability to integrate employees, corporate policies, processes and standards, and it allows information security technology to protect the company’s most sensitive data from unauthorized or unintended disclosures to cyber-adversaries and other nefarious actors.
To be successful, a holistic DLP program should consist of the following seven categories:
- Data governance
- Risk assessment
- Regulatory and privacy compliance
- Data classification
- Policies, standards and procedures
- Data discovery
- Remediation processes
- Training and awareness
DLP employs a nontechnical, programmatic approach (data protection, information privacy) in unison with a technical approach (information security) to protect a company’s sensitive corporate data. It enables data protection officers to address and influence employee behaviors and choices as they apply to identifying, categorizing, classifying and protecting sensitive corporate data, e.g., data governance; risk assessment; regulatory and privacy compliance; data classification; policies; standards and procedures, and training and awareness. It also enables information security professionals to apply administrative, physical and technical controls to safeguard the same sensitive corporate data (data discovery, remediation processes).
Most importantly, privacy protection is an integral part of DLP's methodology. It strongly advocates for the use of privacy assessments to protect a company’s sensitive data based on an evaluation of regulatory and statutory compliance. It also identifies risk assessment as being essential to the identification, classification and categorization of data throughout a company’s information systems in terms of data at rest, data in motion and data at the endpoint. It recognizes the importance of effective and enforceable privacy policies, procedures and standards. And finally, it realizes that a company’s employees require comprehensive education and situational awareness training as part of its privacy program.
DLP’s four foundational principles also complement the IAPP's Privacy Operational Lifecycle model, which enables data protection or information privacy professionals to develop and implement sustainable programs that increase a company’s ability to protect its PII, IP and other sensitive corporate data.
DLP’s four foundational principles—manage, discover, monitor and protect—allow data protection officers and information security professionals to protect their companies' most sensitive corporate data from unauthorized compromise or loss.
Companies that are seriously considering integrating DLP into their current privacy programs should consider the following five tips:
- Clearly define the company’s DLP requirements.
- Build a compelling case for the proposed DLP program.
- Fully understand the total costs of DLP solutions ownership.
- Deploy DLP incrementally to achieve success.
- Be prepared to address inadequate and ineffective corporate policies.
Those companies that decide to implement DLP strategies will realize quickly that DLP should be a part of every 21st-century data protection program.
If you want to comment on this post, you need to login.