Monitoring what information leaves your organisation is as vital as protecting it from external attacks. E-mail has become a critical business tool, but it is also the easiest way for information to escape from the confines of a business.
“The emphasis in many traditional security systems has been on blocking external threats that might get into the network, but in today’s environment that’s only half the story,” says Mark Edwards, director: products & services at Intuate Group. “Organisations need to stop the information in the network from getting out to the outside world, whether by accident, ignorance or through malice.”
In a recent eMedia survey commissioned by Mimecast, 94% of IT managers said they had no way to prevent confidential information leaving their networks. Often the system is nothing but basic firewall rules designed to block access to specific services, which will miss some of the key routes through which confidential, commercially sensitive or other regulated data could be leaving the business.
IDC’s 2006 Security Survey found that employee error was the fourth largest security issue behind malware, spyware and spam, while Forrester estimates that 80% of leaks occur because staff aren’t aware of data policies rather than because of any malicious intent. But deliberate or accidental, it is a significant problem.
“Almost all employees – from the receptionist to the CEO – have access to corporate information and sensitive data that could harm the organisation or prove useful to competitors,” states Edwards. “While the majority of disclosures are accidental, they can still cause embarrassment or more serious damage. One can’t ignore the possibility of fraud, industrial espionage or malicious acts by disgruntled employees. Deliberate disclosure is far less common, but if it does happen, it is far more dangerous to the business.
“Data Leak Protection (DLP) isn’t new. Businesses have always put tools and systems to prevent unauthorised access to critical business information in place, but what we call DLP today brings together these technologies and adds a specialised policy engine, resulting in an information-centric security solution that ties security policies to both stored data and anyone who works with it.
"An example of this is the Mimecast e-mail lifecycle management solution which is designed to integrate security and hygiene, policy, continuity, retention and discovery services through a single management and reporting interface so that an organisation can get an instant snapshot of its most critical communications platform,” he says.
“It’s important to remember that any solution needs to be as simple to use as possible, and preferably automatic. Many failed CRM and ERP deployments have shown that a solution must avoid adding complexity to existing business processes. It must be easy to deploy and manage, easy to use and make it easier to comply with policy.”
Detecting and preventing a data leak is one half of the problem, but how to respond to the incident is another important feature of an e-mail DLP system. Whether the attempted leak is deliberate or accidental, it can’t be investigated fully without seeing it in context. That means the DLP system needs to be integrated with the wider systems that manage governance, risk and compliance issues.
In an increasingly punitive regulatory environment, the consequences of data leaks are becoming more severe and can include heavy fines or other penalties in addition to a damaged reputation and business relationships.
The Data Protection Act, HIPAA, The Companies Act Combined Code, the Financial Services Act, Sarbanes-Oxley, EuroSOX, MiFID and GLBA all mandate the confidentiality of information and, therefore, the prevention of leakage. If the leak proves to be accidental, it’s vital to have the e-mails and metadata available to work through the issues with the employee or decide how to refine the business process in question to avoid future leaks. And if it proves malicious, it’s essential that the message is forensically preserved so it’s available to use as evidence in a disciplinary proceeding, civil or even criminal prosecution as appropriate.
“DLP isn’t about stopping employees from communicating with colleagues, partners and customers and it isn’t about making it harder for them to do their job,” Edwards stresses. “In fact, a well-designed system should make their lives easier by catching honest mistakes and dealing with them automatically, and it should do it according to the policies the business lays down.
“Automatic encryption and remediation can prevent accidental data leaks and notifications can be used to educate users on company policy and the procedures they should be following. As well as detecting data leaks, this helps develop a self-correcting mechanism for bad business processes and poor procedural compliance,” he explains.
“The data protection problem goes beyond what can be achieved with technology alone – policy, processes and people management are all key. No technology can prevent every leak or ensure that nothing ever leaves the company that should be contained. Nevertheless if used correctly, a DLP solution can turn e-mail from a risk to a source of business value by correcting honest mistakes, safeguarding evidence in cases of malicious action, educating users in policy and best practice and helping improve procedures that impact productivity and encourage inappropriate sharing of information.”