Compliance needs drive data leak protection best practicesBy Cara Garretson
So you've chosen a data-leak protection tool and you now have an answer when the boardroom asks what the company is doing to protect data breaches. Or do you? In order for these tools to have a high success rate for preventing sensitive data from leaving the corporate network, they require quite a bit of upfront work. Following are some best practices to help you get your DLP up and running.
- Your DLP policies should be based on your compliance needs. These tools will only enforce the policies you have set. For example, many regulations call for the encryption of any personal-identifiable data. If the tool offers encryption, it should therefore be set to encrypt figures that obviously fit the profile to identify them as Social Security and credit card numbers
- Policy creation is not a one-time deal. DLP is one part technology, one part understanding the business. For the tool to be effective, IT and business units must collaborate on developing policies that protect the company, but are also flexible enough to allow employees to get their jobs done. Once created, IT should expect to engage the business to help update and hone policies on a regular basis using feedback from users. One way to do this is to let users offer an explanation for why a policy-breaking action should be allowed to occur – many tools offer users a dialog box to enter such reasons. But even if the tool doesn't automate that process, offering users a channel to submit feedback is still useful. This input leads to policies that better reflect how a company operates.
- These tools will catch mistakes, but may not catch intentional breaches. The good news is that most data leakage incidents stem from mistakes, rather than malfeasance. According to Nick Selby, senior analyst and director of The 451 Group's enterprise security practice, 98% of leaked data is the result of "stupidity or accident" on the part of the user. If a disgruntled employee is determined to send product road maps to the competition he'll be hard to defeat, Selby says. But accountants who send corporate financial data to themselves over Web e-mail so they can work on spreadsheets at home will quickly learn from these tools that such actions compromise security.
- When using a tool's blocking feature, consider the risk of false positives. This issue isn't necessarily related to the quality of the tool, but more to the lack of a hard-and-fast definition of sensitive data. Many companies opt to operate these tools in monitor-only mode initially, so they can see what's being sent out of the company, and then work on policies and enforcement from there.
- Classify your data in the first place. If, upon creation, data can be classified as sensitive or not, you'll save yourself a lot of work trying to decide after the fact. A classification tag that can follow the data wherever it may go in and out of the network would act as the flag needed to ensure DLP tools catch security breaches.