Criticisms made of lax attitudes to data loss prevention tools
Data loss prevention (DLP) is only as effective as the person who sets and manages it.
Talking to SC Magazine, Michael Gabriel, director of the data protection practice at Integralis, said he had seen a transformation from an IT centric to more data-centric attitude within IT departments and there was a fresh acknowledgement to get people who understand data to be better at handling it.
He said: “People move things and find things that they did not even know about and when you realise what your sensitive data footprint is you become less of a target. If you are not setting borders on where data should be, the borders are there and should be enforced by technology.
“Data loss prevention can tag data, you can use it to find information and add a third dimension.”
However Gabriel claimed that a problem with the DLP tool is that it is a ‘bottom-up IT-centric approach', with IT departments buying a solution and installing it without setting specific rules or automated procedures.
He said: “That does not work with DLP, it will deliver in-house policies and change the way you do processes. If it is not doing the job it is because you are not doing it right, you will get results if you implement properly.
“The attitude is that if you turn on enforcement, it starts disrupting business, so now it sits turned off or scaled back so much that it is doing very little. Also, if it is implemented with email encryption, it is all automated and it will look for exact data matching so false positives are kept down to a minimum.”
Gabriel added that often DLP enforces IT policy, however this needs to be regularly considered as ‘policy is not static and needs to change'. He said that there is a need to understand what the mandatory requirements are and to make sure businesses have got the requirements addressed.
Neil McLachlan, security services manager at Onyx, said that there is often a misunderstanding on whether the ‘L' in DLP stands for ‘loss' or ‘leak' and was it worth spending to get 90 per cent protection.
He said: “It has become a tick box culture, is there any point in putting DLP into an email gateway if someone can print a sensitive email off and put it into a briefcase and take it out of the building?”
Andrew Waite, security consultant at Onyx, said: “Until you get the basics right it is no good having it. You need to implement it right in the first place and not just tick a box. It is easy to be compliant and secure, but ticking a box is often just the baseline.”