So far as electronic controls are concerned, I would say at least 95 per cent of organisations either don't have data controls or they aren't properly configured.
The trouble is that in order for data leakage prevention (DLP) systems to actually work, someone needs to configure them and in the vast majority of cases, it would be the IT department that gets inflicted with this task.
However, generally speaking, the IT department don't have a clue about the business processes that are meant to take place and so cannot determine whether sending personally indefinable data (PID) to and from different locations should be allowed or blocked under different circumstances. How are they expected to learn all the business processes to implement this technology?
Without accurate configuration the system will produce a vast amount of false positives and guess who has to then sift through them...you guessed it... IT!
I'm not sure if I'm the only other person to think this, but as a former techie the prospect of having to configure DLP rules, even if I do understand the business processes, seems insanely boring and not what true techies should be getting involved in. In short, when techies have been highly trained up and gained experience in everything from firewalls to Angry Birds, to then have to learn all about PID, PCI and PII as part of business process is a real turn off. Isn't DLP more boring than decorating? It may even be more boring than listening to my business partner talk about his iMac during a long drive from Cambridge to Glasgow!
On top of that, I don't know of any IT department that isn't already flat out busy. For IT to spend considerable time trying to learn about the complete business process and configure these types of rules, will distract them from core activities and could lead to security deviancies elsewhere.
Surely DLP technology is needed?
We are all human and mistakes get made; I'm sure we have all sent something to the wrong email address once or twice. The trouble is that in today's environment, it's all too easy for the wrong information to end up in the wrong hands and this can be highly damaging to the organisation and individual. It can clearly also result in significant fines being imposed and without something technical preventing that data going to the wrong address again, it's only a matter of time before another mistake it made.
DLP has evolved to be very powerful and adaptable. Our engineers have done several large-scale implementations and had impressive results where the business (and its management) have been committed to the project. However I don't believe it's widely adopted or implemented even when it's supplied as part of other solutions, and that concerns me. I've even known a company to buy the technology to tick a box so they could deal with a bank, but I'm very sure they never actually implemented it.
What can be done?
Well herein lies the problem. I don't think IT departments really want to get involved in DLP technology; it's not interesting to most techies and they often have too much on their plate already.
DLP technology, its implementation and more importantly its configuration, needs to be driven from higher up within the organisation as a business project, not an IT project, and its management in terms of rules and configuration shouldn't reside within IT.
Frankly DLP technology bores me, but then I'm a former techie. But I do really believe that organisations need to start implementing and managing basic controls to prevent some of the damaging breaches in data loss that have occurred. However I stand by my belief that it's not an IT project - it's a business project and organisations really do need to start to look at how to tackle data loss.
Chief exec Jens Montanana claims Logicalis performed well despite 'currency headwinds'
All the photos from last night's event, which saw over 600 people congregate at the Hilton London Bankside
Five year deal with Essex NHS Trust will cover 400 sites, including hospitals, clinics and GP practices
18 individuals and three companies walked away as winners at CRN's inaugural Women in Channel Awards last night