Define, educate, prevent: Avoiding data loss is easier than you may think

Most organizations believe they aren't in danger of losing data, but as recent news demonstrates, the threat is real and no organization is immune.

In a recent CDW report on threat prevention, data loss emerged as the No. 1 cybersecurity challenge faced by medium and large businesses. Fully 37 per cent of IT security decision makers surveyed for the report cited data loss as "the next big security threat" their organizations face, naming it a bigger threat than viruses, worms, malicious attacks and botnets.

SECURITY THREAT: Too many data loss prevention tools become shelfware, says analyst

Just envisioning the potential consequences of data loss is enough to keep executives up at night. Data loss of any kind can damage an organization in countless ways. From a simple hard-cost standpoint (forensics, notification, credit protection, etc.), data loss is expensive, costing an estimated average of $200 per record breached, or an average of $6.8 million per total breach, according to a recent Ponemon Institute survey.

The true cost, however, is much harder to measure when considering factors such as lost competitive advantage, loss of revenue, litigation and company reputation.

The first step to prevent data loss is to accept that data loss is a real problem. Truly solving the problem can be boiled down to three simple concepts: define/baseline, educate and enforce.

Define data and create a baseline

This is not the typical, monstrously large (and perpetually doomed-to-failure) information classification project that so many IT organizations have undertaken and then abandoned. The key to success is to draw a distinction between confidential information (e.g. Social Security numbers) and confidential documents (such as a file containing Social Security numbers).

In today's IT world, nearly everyone is an information worker. In the course of business, people make copies of files, create reports, post them to SharePoint sites, etc. Trying to categorize information at the document level is typically prohibitively difficult because these documents are rapidly moving targets.

That said, the definition of "confidential" is usually straightforward. The simple data points that allow for fraudulent monetization of data (first and last name, address, Social Security number, credit card number, driver's license number, banking information, etc.), as well as data protected by regulation (e.g. HIPAA), are the minimum any organization should protect.

But every organization also has business critical data. Examples include the trading algorithm that was almost stolen from a well-known investment banking firm, the next quarter's sales pipeline for a reseller, pre-product-launch research data for a biomed firm or the source-code for a product at a software company.

Your next step should be to define what "business critical confidential" means to your organization. In the simplest terms, that definition should be measured against three standards:

➢ Would the loss of this information materially affect revenue and profitability?

➢ Would your organization's leadership want to be informed of a leak?

➢ Would your organization's leadership take action if informed of a leak?

In some ways, these are three separate questions driving to the same concept, but in a practical sense, applying all three questions enables organizations to cut through noise and churn, to focus on the true heart of "business critical confidential."

Once this definition is established, the second step is to measure the business against that definition, to gain clarity regarding the real risks. The areas of greatest concern do not necessarily overlap the areas of greatest exposure. In many cases, the single greatest exposure existing in an organization can be easily remedied by altering a single business process. The areas of greater concern are the ones that are harder to control.

Educate your organization and address problems

"Information security policy" -- have the shivers yet? A tremendous amount of research and effort goes into crafting an organization's information security policy. There are legal and liability reasons for much of what a typical information security policy covers. Unfortunately, in a practical sense, dozens (or hundreds) of pages covering a large amount of ground do not assist the typical information worker in making daily judgment calls on how to use and store confidential information.

Once the definition of "confidential" is determined and the use of confidential information has been measured, the next step is to use that insight to author a practical and concise policy. Your goal should be to keep the policy under a half-page in length, and to use it to define, in stereotypical "30 second elevator conversation," what data is confidential, and how it should be used.

Following the creation of that policy, three actions should be taken:

➢ Resolve process issues that violate the policy and cause ongoing incidents.

➢ Educate users on the policy.

➢ Provide ongoing, real-time notification to users.

As early adopters in the industry take on data loss prevention projects, there are many indications that clear, concise communication, coupled with education, can reduce data loss incidents by more than 90 per cent.

Prevent data loss from occurring

If process change, user education and real-time notification can reduce risk by 90 per cent, technological enforcement can narrow the remaining 10 per cent. The real key, however, is to make security an ongoing priority. Invest wisely and consistently in security technology that is tailored to manage the specific risks your organization is likely to face.

One way to do this is to dedicate an internal or external resource to monitor and manage security issues, making sure that this resource reports to the appropriate stakeholders. This strategy allows you to monitor security risks in real time, keeping the organization informed and involved in the security of your data.

Data loss is a threat that will continue to weigh heavily on the minds of IT executives everywhere, but there are tested and proven ways to safeguard your organization. By defining your data, educating your staff and taking proactive measures to prevent data loss, you will be able to dramatically mitigate your risk of falling victim to this common security threat.

Read more about pc in Network World's PC section.

Join the CSO newsletter!

Error: Please check your email address.

Tags smbsecuritydata breachCDWdata lossSMB Networking

More about CDWEpsilon InteractiveMicrosoftSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sadik Al-Abdulla, senior manager, CDW Security Practice

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts