Stopping data leakage:

Making the most of your security budget

Organizations are increasingly aware of the acute need to control the information that flows

into, through and out of their networks. This paper demonstrates the need for a high-profile

acceptable use policy to prevent data leakage, gives practical guidance on how to use your

security budget effectively to protect data at the gateway and endpoint, and highlights the

benefits of encryption in securing data in the event that it does get stolen or lost.

data leakage: Making the most of your security budget

Stopping data leakage:

Making the most of your security budget

After years of battling intrusions, viruses, and spam, organizations now find themselves wrestling

with a relatively new but hugely significant security issue: data leakage. By March 2008, the inadvertent exposure of company confidential information was already being cited by analyst IDC as the number one threat, above

viruses, Trojans, and worms1. At the end of the year, 80 percent of respondents in another

survey agreed that data security was one of the biggest challenges facing them, with 50 percent

of respondents admitting they’d experienced a data leakage incident in 2008.2 IDC’s survey identified intellectual property as the most common type of information leaked and 81 percent of respondents saw information protection and control (IPC) – defined as monitoring, encrypting, filtering, and blocking sensitive information contained in data at rest, data in motion, and data in use – as an important part of their overall data protection strategy. The highest priority IPC solution was data leakage prevention (DLP) deployed at

the organization’s perimeter and on endpoint computers.1

Importance of monitoring employee use1

% choosing 4 or 5 on a 5-point scale

Corporate email 56%

Lost/stolen laptop 51%

Web email or web posting 37%

Instant messaging 33%

Lost/stolen mobile device 33%

Media devices 19%

Other 12%

The intentional or accidental exposure of information, ranging from legally protected personal information to intellectual property and trade secrets, is something that affects the IT environment in its widest sense, involving lost

or stolen laptops, USB keys and other devices, email, and Web 2.0 applications, such as IM.

Respondents to IDC’s survey demonstrate just how many points of exit there are (see figure 1).

The challenge now is not simply to protect data from the threat of theft or corruption from

malware, but to add a second security layer preventing data being accessed if it is lost.

The growing importance of DLP

There are several reasons for the movement of data leakage prevention to the forefront of enterprise security.

High-profile, reputation-damaging data leaks

Bad publicity from data leakage can result in damaged reputation, lost customers, and

sometimes even ruin for companies.

The number of well-publicized examples of data security breaches is growing significantly.

Government bodies, financial organizations, education institutions, industry giants and even presidential candidates – no-one is immune

. Recent high-profile incidents have included:

Secret government documents on al Qaeda and Iraq were left on a commuter train in the

UK. (Jun 2008)

The personal information of almost 1000 bank customers was lost by an employee of Bank of Ireland, after the data was copied onto an unencrypted USB memory stick which was then lost. (November 2008)4

Stopping data leakage: Making the most of your security budget

An email containing names, positions, salaries, and social security numbers of 192 faculty and staff members was accidentally sent to Ohio State University Agricultural Technical Institute students.

Hackers were charged with stealing more than 40 million credit and debit card numbers from nine US retail outlets by breaking into the wireless networks of major retailers.

An investigative reporter for MyFoxDC bought a Blackberry device during the McCain-Palin US presidential campaign’s sale of its used office inventory, only to find 50 phone numbers for people connected

with the campaign and hundreds of emails.

Regulations

Government legislation

Governments worldwide have introduced increasingly stringent data protection legislation,

such as the US’s Sarbanes-Oxley Act, HIPAA, and Gramm-Leach-Bliley Act, and the UK’s Data

Protection Act, to provide suitable controls over sensitive company information. Organizations found to be in breach of the legislation can be fined and forced to put solutions in place to prevent a recurrence. The California Senate

Bill 1386, introduced in 2003, was the first to require that organizations notify all affected individuals if their confidential or personal data has been lost, stolen, or compromised. This public disclosure is now required by 35 states.

Many regulations also require regular audits, which an organization may not pass if the right

controls are not in place.

Today, protection must focus on controlling access to the information, not on blocking the perimeter.

Cost of a data breach

Up 11 percent since 2006

Average cost per breach – $6.6 million

Average cost per record – $202

for heathcare – $282

for retail breach – $131

Cost of lost business

Up 40 percent since 2005

69 percent of overall cost (compared to

65 percent in a similar 2006 study)

Source: Ponemon Institute8

PCI DSS

Alongside government legislation sits PCI DSS (Payment Card Industry Data Security

Standard). Created by multinational corporations, it is enforced on merchants as a part of their terms of being allowed to accept credit card transactions. Organizations that cannot demonstrate PCI-compliance at an

audit are subject to sanction even if no actual data leak has occurred. PCI’s reach across international boundaries and its ability to respond quickly to change – it last extended its scope in October 2008 – makes it as important

a security standard as any local or national legislation.

Cost

In addition to legal costs, organizations have to deal with the less tangible costs of recovery and

commercial fallout, such as lost business, or withdrawal of credit card merchant status. All

these costs have been rising steadily.

The dissolving perimeter and Web 2.0

As business has gone online and become vastly more mobile, the 20th century security strategy

of protecting the organization’s perimeter with firewalls, intrusion detection, and other similar

tools has become insufficient. There are simply too many points of data entry and exit. While

blocking the perimeter remains important,

protection must focus on controlling access to the information.

Stopping data leakage: Making the most of your security budget

This need is growing exponentially with the totally different perspective introduced by Web 2.0 users. This new "employee 2.0" workforce brings a mindset that is highly tuned to sharing information on social networking

sites, posting to blogs, and emailing and IMing friends, with little or no regard to whether this is

appropriate in a business context.

The challenge for today’s DLP solutions

Several enterprise-focused DLP solution vendors, have developed innovative solutions for preventing the leakage of sensitive company information. Many of these products focus on identifying and categorizing all company data and then implementing corporate DLP policies to track sensitive information across the enterprise, applying controls where necessary.

These solutions make a lot of sense in concept, but in practice they run up against several

implementation roadblocks.

Too much data, too little time. For many organizations data is so dispersed, disorganized, and voluminous that classifying it comprehensively is just too burdensome and resource-intensive a task for most IT

departments to undertake.

IT resistance. Many available DLP products are relatively new and still suffer from issues such as frequent false positives. IT departments can be reluctant to invest their increasingly stretched resources in

deploying another complex enterprise level infrastructure at the expense of delivering

strategic value to the organization.

User resistance. There is a wariness about deploying yet another agent on each

desktop and laptop that might interfere with legitimate business by hogging processor cycles, requiring frequent updates and slowing down the performance of other user applications.

Complexity of scope. Devising and implementing a comprehensive, viable policy

to be supported by the DLP solutions can get in the way of regular business practices, requiring the involvement of not just IT but also human resources, finance and legal teams, and business unit managers.

The wrong focus. Many of these solutions focus to a large extent on intentional data leakage, when in reality data leakage is hard to stop. For example, people can deliberately alter files to avoid detection or there is the

more mundane problem of people simply sharing information inappropriately in conversation.

Organizations’ real requirements

The truth is that, with the exception of the largest enterprises with the most stringent security requirements, most organizations simply don’t have the funds, staff resources, and need to implement large-scale DLP efforts. Their most

pressing and immediate needs fall into three categories.

Stopping the stupid

98 percent of data leakage incidents are actually due to accident or stupidity.9 Lost laptops and USB keys, inadvertent misuse of email, the unthinking sharing of information on IM, webmail, social networking sites, and peer-to-peer file sharing sites are a much more significant threat to organizations than hackers.

Meeting regulatory requirements

The most pressing need for most organizations is to implement an effective solution that will satisfy auditors that they are providing the protection and control required to meet current regulations without the need for a huge amounts

of funds, staff, and resources in implementation and management.

Stopping data leakage: Making the most of your security budget

Maximizing IT investment

IT departments want to ensure that the budget available to them – which is being asked to do more and more – is spent in the most efficient and cost-effective way. Solutions that integrate DLP with other security features are best placed to do this (as discussed more fully below).

Enabling DLP

Enforcing an acceptable use policy

Creating and enforcing an acceptable use policy (AUP) should underpin any attempts to stop data leaking from an organization. Because of the changing nature of both the organizational infrastructure and the expectation of employees that information should be freely available to access and share, an AUP’s success depends heavily on creating ongoing employee buy-in to the fact that the threat is internal, overwhelming accidental, and in their hands to avoid.

As well as stressing the importance of commonsense, the AUP should set out

exactly how an employee is expected to use an organization’s information, containing prescriptive advice on best practice and clearly defining prohibited behavior.

It should cover issues such as:

What information/files must not be emailed

The company policy on posting to web message boards or downloading from the web

The policy on use of USB keys and CDs for storing sensitive company information

The policy on altering security settings.

The repercussions of not adhering to the policy should also be spelled out.

Integrated solutions

The key to achieving successful data leakage prevention within constrained budgets is to see

it as part of your overall security picture, not as a separate entity. In fact, you might already

have security tools with features that address your most pressing DLP requirements.

As DLP grows as a corporate concern these features are likely to be upgraded in much

the same way that spyware prevention, spam detection, and intrusion prevention all started as separate security categories and infrastructures, but were quickly subsumed into other categories, such as anti-virus protection

and firewalls.

As you go forward, the inclusion of up-to-date DLP features is something you need to ensure in order to make the most of your budget. The two key requirements can be summed up as:

Protect your data against accidental loss or deliberate theft

Secure your data so that if it is lost or stolen, it cannot be read.

Protect your data

Endpoint protection

Endpoint protection goes far beyond the imperative not to leave laptops on trains:

Use powerful anti-malware solutions to block spyware that can steal financial and other confidential data.

Organizations need to implement products that combine DLP features with other security functions to provide an integrated solution.

Three steps to AUP success

Create the policy

Educate users about the policy

Enforce the policy

Stopping data leakage: Making the most of your security budget

Block the use of non-essential applications such as P2P file sharing, IM, FTP clients, unauthorized email clients, wireless network connections, and smartphone and PDA synchronization tools. All of them can be subverted by criminals to get hold of information. Even more easily, employees can – usually unthinkingly – send out and share company data via these applications.

Manage write access to portable storage devices such as USB keys. Because these are so easy to lose, these devices are a high security risk.

Ensure that every computer connecting to the network – whether office-based or remote, company-owned or belonging to guest users – is compliant with the organization’s security policy.

Gateway protection

Much of the functionality available in email and web products can prevent sensitive or inappropriate data being sent outside the organization or to unauthorized users inside the organization. Features include:

Content scanning of email messages and attachments to control and block sensitive information, by identifying, for example, social security numbers, or keywords relating to confidential corporate information.

Content scanning of web traffic to ensure spyware Trojans and other malware are not downloaded onto the user’s computer.

Preventing the download of particular file types and preventing users from disguising and obfuscating unauthorized file types in emails.

Controlling access to particular websites and applications and to webmail sites such as

Googlemail and Yahoo! Mail.

Controlling and blocking the unauthorized use of IM and FTP traffic.

Protecting against "drive-by downloads" which secretly place spyware on the user’s computer when they visit a website.

Secure your data

In spite of having the best policies and the best solutions, you might still find your data has been

stolen or lost. So it is essential to have a second layer of defense – encryption. In a survey by the Identity Theft Resource Center, 82 percent of respondents who had lost data, said that if the data had been encrypted, the risk to the company would have been far reduced.2 With this being the case, you should: Perform full disk encryption of laptops and notebooks.

Encrypt data on removable storage devices, such as USB drives, CDs and DVDs. Encrypt emails to prevent unauthorized users from reading them. Encrypting your data and devices in this way means that your information is safe, even if it gets into the wrong hands.

Summary

Data leakage has become one of the most pressing security issues facing organizations today. The most effective solution to the problem is to see DLP as part of your overall security problem, integrating it into a comprehensive

strategy. You also need to create an AUP, enforce it with technology and ensure that both are monitored for compliance with corporate policies.