• Investment World
• eWorld
• Brand Line
• Mentor
• Life
• Brand Quest
• The New Manager
• BL Club
• Smartbuy

Stocks

• Quotes
• SE Diary
• Scoreboard
• Open-End Mutual Fund

Cross Currency

• Rates
  
  

Shipping

• Ports
  
  

Archives

• Yesterday
• Datewise
• Resources
• In Focus
• In Depth
• Events 2007

Group Sites

• The Hindu
• The Hindu ePaper
• Business Line
• Business Line ePaper
• Sportstar
• Frontline
• The Hindu eBooks
• The Hindu Images

Vishal Dhupar

Information has become a company’s most valuable — and vulnerable — asset in today’s competitive times. According to the IT Policy Compliance Group, 68 per cent of organisations are experiencing six losses of sensitive data annually, while 20 per cent are suffering 22 or more sensitive data losses per year.

A study by Symantec in May 2008 saw a shift in data security trends. Earlier, securing the network from hackers was the number one priority in terms of both potential severity and privacy. But during the last year, Symantec witnessed more than 230 breaches disclosing over 90 million individual data records of which more than half were due to insider actions. Symantec found that it is not just the malicious insider but more often, inadvertent or broken business processes that are causing these types of breaches. Almost 50 per cent or half of data loss can be attributed to broken business processes, while 46 per cent is inadvertent data loss due to employee carelessness. Less than 4 per cent of data loss is truly malicious.

What are we talking about when we mention a ‘business process’?

A business process or business method is a collection of interrelated tasks that accomplish a particular goal. Most business processes are driven by human beings, as a result of which even the most cautiously designed processes could be at the risk of being broken.

While the initial objective may still be achieved in spite of these processes being broken, other factors such as security and efficiency may be negatively affected, not to mention the reputation of the organisation.

Broken business processes are one of the key factors that contribute to data loss today. According to a 2007 Annual Study by the Ponemon Institute, data breach incidents cost companies $197 per lost customer record in 2007, compared to $182 in 2006. The average total per-incident costs in 2007 were $6.3 million compared to $4.8 million in 2006. Also, the cost of lost business increased by 30 per cent to an average of $4.1 million in 2007.

These figures are alarming but because a broken business process cannot always be seen, it often goes undetected. Usually, when there is a broken business process, data either is not where it should be or is present where it shouldn’t be.

As auditors are able to trace these, it would be better for an enterprise to identify and remediate these gaps before third parties find them.

Here are a few instances that illustrate how a business process is broken and data gets lost: an employee may accidentally send out automated weekly/monthly reports that contain sensitive employee or customer information to partners or addresses that are wrong. This would mean that the wrong individual has access to privileged information. Also, automated e-mail systems that may be transmitting sensitive information in violation of compliance regulations could result in a company being liable for data breach.

Besides this, failure to clean up sensitive data files on shared storage, for example, “temporary” working documents of teams could result in data loss. In such cases, employees work with the data, then upload the results of the analysis back into the core database, but forget to go back and clean up their working documents.

Another example of a business process being broken is when former employee files are stored in a place that anyone can access. This information could be misused by other employees and could lead to confidential or sensitive information being lost.

There are various challenges involved in fixing broken business processes, such as the fact that information today is easily distributed and does not always reside in a single location. Also, understanding which data is confidential and needs to be protected is absolutely essential. Besides this, finding information that could be protected or permitted to be stored on the network and instead has been sent or stored inadvertently by employees can be an arduous mission. Finally, action needs to be taken to clean up scattered information and educate employees on how to properly handle sensitive information.

Today, advanced technologies exist to help companies discover and identify their confidential data, to monitor how it is being used and to enforce policies to prevent its loss. Data Loss Prevention (DLP) solutions are an essential component of an organisation’s security strategy and can mitigate the adverse effects of a data breach.

In this regard, DLP is not simply a technological solution and protecting information is not just an IT concern. In fact, it’s very likely that IT may not always know what information is confidential and what is not. Preventing the loss of data is a business problem, and it requires a business solution. Consequently, before implementing technology to prevent data loss, key stakeholders and business unit managers must first come together to identify the data that most needs to be protected.

Because DLP isn’t an exclusively IT-driven discipline, it requires cross-team support and alignment from many others, including facilities, compliance representatives from legal, enterprise risk managers, human resources, marketing and sales.

What does it take to get attention for DLP initiatives in today’s enterprise? In most cases, it means making a compelling business case – and getting the right information to the right people in the right language.

Assessing Risk

To be clear, the identification process does not mean classifying every piece of information that comes in, goes out of, or is stored in the organisation. On the contrary, it means identifying the few types of information whose loss would result in the greatest negative impact for the company. This is the information to which DLP will be applied first. For some organisations, this might be source code, product designs and similar intellectual property. For others, it might be customer information or financial data.

A number of DLP solutions include a risk assessment component in which network activity is monitored for a two- or three-day period. A report is then provided that shows the organisation what data is going out through the network as well through each department and how often it is going out. This report can be invaluable in helping companies determine what kinds of data is most at risk and which departments are creating the greatest exposure.

Setting Policies and Processes

Once an organisation has identified the actual data requiring protection, this information serves as the foundation of the company’s data loss policy.

The organisation can then design processes in order to monitor for data loss incidents and measure their progress in reducing risk over time. It is critical to be clear on who does what in the event of a breach, so that, should a crisis occur, the right people are following the right processes to mitigate risk.

For example, IT security as well as the involved employees and their managers may need to be notified. If malicious behaviour is suspected, it may be necessary to bring in forensic and legal specialists. If a major breach occurs, public relations may play an important role. And business unit managers will want to be able to track their data loss risk over time. The latest DLP solutions employ intelligent incident response capabilities so organisations can automate policy enforcement with flexibility. Better still, by offering templates based on industry best practices for incident response and remediation workflow, these solutions can reduce configuration time for IT.

The effectiveness of even the best technology and processes can be undermined if employees do not understand the value of their company’s information assets and their role in mitigating risk. With heightened awareness, however, employees can become a company’s strongest line of defence and its most valuable security asset.

But how? Formal security awareness training programs can certainly help, as can clear security policies. Yet, perhaps the most effective education comes through intervention at the time of action. After all, many data breaches are the result of simple user error. People make mistakes. They forget. They misunderstand. But they can also correct themselves — if they know they erred.

A robust DLP solution makes it much easier for users to not only know corporate data loss policy but also to follow it. By providing various levels of real-time response, from remediation to notification and prevention, DLP provides on-the-spot correction.

The cumulative impact of such automated efforts can be significant. In fact, one Fortune 100 company observed an 80 per cent drop in data loss incidents just 20 days after enabling the automated user notification capabilities within its DLP solution.

The author is Managing Director, Symantec India.

More Stories on : Security

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Copyright © 2008, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line