Preventing data loss – the holy grail

Written by Lior Arbel on 26 January 2015 in Opinion
Opinion

A data loss prevention programme is vital for public sector organisations to keep themselves safe from hackers, according to Lior Arbel.

A recent Freedom of Information request revealed that data breaches have cost local government over £2.3m in fines since 2010, with council organisations named some of the worst for protecting confidential information.

High-profile leaks of confidential data hit the headlines throughout 2014 with the Ministry of Justice one such culprit getting fined £180,000 for the "serious failings" that led to the loss of confidential data.

According to the ICO, the penalty was enforced after the loss of a hard drive containing information on nearly 3,000 prisoners at Erlestoke prison in Wiltshire.

This is one of several data breach incidences that the public sector and MOJ has suffered. The MOJ was fined £140,000 by the ICO in 2013 after the personal details of all 1,182 prisoners at a jail were mistakenly emailed to inmates' families.

More than ever, public sector departments and businesses are increasingly being fined for data breaches which could and should have been avoided. How can it be then that even top performing enterprises and high profile government departments cannot adequately secure their data?

Unintentional data loss

The two primary reasons for data loss of this kind are intentional and unintentional data loss.

As in the MOJ case, unintentional data loss is commonly predicated by employee error and can result in huge fines and cause extensive reputational damage.

Data loss of this kind can happen to any employee with naivety, ignorance and ambivalence of employees the most common methods of unintentional data loss.

It seems that despite all the sophisticated data stealing cyber attacks, employees will always remain the weakest link in the security chain.

Human error accounted for 93% of all reported data breaches across both the public and private sector over the first three months of 2014.

Employee awareness and education is therefore vital in protecting business critical data. Everyone in the organisation, from the boardroom down, must be a part of the data loss prevention business and ensure that processes and policies are adhered to.

Intentional data loss

Intentional data loss typically takes the form of dynamic threats established by online criminals and hacking groups. Common attack methods include spear phishing of specific executives or whole departments and Zero-Day exploits.

According to Trend Micro, 91% of all successful APT attacks start with a spear-phishing email. Threats such as these are engineered to proactively steal confidential intellectual property data and are an effective tool for hackers.

For instance, the latest Department for Business Innovation and Skills 2014 Information Security Survey published this April found that 81% of large businesses had suffered a security breach by an unauthorised outsider in the past year compromising confidential information.

All departments and organisations must realise that they are now at risk to hackers trying to plunder critical data.

Data loss prevention

What unintentional and intentional data loss has in common is the solution.

Data loss prevention (DLP) programmes are the most effective way for government departments and businesses to protect themselves against the latest data breaching threats, whether that be intentional or unintentional.

DLP programmes today form a necessary and business critical part of a modern IT infrastructure.

By deploying a successful DLP solution the public sector and businesses can establish visibility to information that leaves the organisation, comply with state and sector specific compliance legislation, and detect malicious activity, whilst still enabling a flexible and secure working environment.

For example, when implemented correctly, DLP solutions can show a significant decrease in policy violations simply by notifying the employees that they did something wrong.

Managing data breaches

Though there is no doubt that DLP can enhance your practices and protect against the latest data breaching threats, it is important to note that a DLP programme will not solve every data issue.

The management of an organisation must play its part as well.

Management must accept the realisation that no matter how secure their system is there may be a time when a breach is discovered.

What is important then is how they implement a suitable response plan.

A designated response team, which includes management, ICT, legal, business, marketing/PR and other critical departments, needs to be set up so that the business can act in a quick and co-ordinated way when dealing with a breach.

In the MOJ cases, no such system was in place and so the situation could not be dealt with proactively, preventing the potential internal ‘blame game’.

Looking to the future

The important question of how we monitor, manage and control outgoing as well as incoming data has become all the more relevant.

Research consistently shows that many businesses and public sector departments are taking unnecessary risks with data management and that could prove to be extremely costly.  

Keeping business critical information safe is now a crucial part of a modern organisations IT infrastructure.

If used in conjunction with other technologies, as well as a common understanding that we are all part of the data protection process, much can be done to improve your public sector organisation with an effective DLP programme.

Lior Arbel is the CTO of Performanta Ltd, a specialist information security firm

Share this page

CONTRIBUTIONS FROM READERS

Please login to post a comment or register for a free account.