Data loss prevention and new legislation

Hawthorn: Proper DLP strategy is increasingly important

The Information Commissioner now has the power to levy fines on those who recklessly lose confidential or personal information.

The level of fines is still to be decided but could run to millions of pounds.

At a time of economic woe, it is a shame the government has had to resort to such tactics but perhaps it is necessary for the issue to get the attention it deserves.

Organisations trading on a global scale will also need the best policies for worldwide customers and suppliers – so bringing UK legislation in line with the best in the world makes sense.

More US states are creating legislation to mandate consumer notification when there are security breaches involving certain types of information. Acts in the US that demand customers be told about a security breach is the right way to go.

All this is proving a headache for organisations operating globally as they not only have to comply with requirements from many countries.

It makes sense for organisations to adopt a layered data loss prevention (DLP) strategy that complies with different laws and monitors encrypted traffic.

Integrated data leak prevention can monitor network activity, data use and prevent users from transmitting or copying data in violation of the May 2008 Criminal Justice and Immigration Act in the UK.

Most organisations are waking up to the need for DLP. An Osterman Research survey in April 2008 claimed that 53 per cent of mid-sized and large organisations will very likely or definitely invest in DLP through the first quarter of 2009.

The same survey found that 68 per cent of organisations plan to have some form of DLP by the end of 2009.

However, only 49 per cent of organisations have so far deployed DLP capabilities.

This suggests that organisations are well aware of the need to monitor their inbound communications for spam and malware.

Yet 27 per cent of organisations in the same survey suffered data or information leakage in the year to April 2008.

A survey by emedia last year alleged that 94 per cent of companies believed they were powerless to prevent confidential or sensitive information being sent outside of the organisation.

Some 32 per cent said they were unaware if a leak had taken place.

Employees may accidentally send confidential data in an email – such as credit card numbers, social security numbers or other confidential information – without realising the data needs to be encrypted during transmission to comply with legislation.

In addition, the rise of Web 2.0 applications such as MySpace and Facebook mean hidden malware can be installed on end points to harvest personal information.

IT budgets are likely to be affected negatively by the economic downturn. However, where industry consolidation happens, companies depend on IT development for future growth.

If companies fail to invest now, they risk further financial gloom long term, especially if heavy fines are enforced for lack of compliance.

An organisation should monitor all media employees use for communication. This includes email, instant messaging systems, wikis, blogs, personal webmail accounts, USB devices, message boards and other tools.

Appropriate policies should be established and systems deployed so a company’s risk can be mitigated.

Decision-makers may also want to audit file management in the organisation.

While this is not always a necessary step given the abundance of evidence for the data breach problem, it may be required by some organisations to convince senior managers of the extent of their own company’s problems.

Nigel Hawthorn is EMEA marketing vice president at Blue Coat Systems