This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Criticisms made of lax attitudes to data loss prevention tools

Share this article:

Data loss prevention (DLP) is only as effective as the person who sets and manages it.

Talking to SC Magazine, Michael Gabriel, director of the data protection practice at Integralis, said he had seen a transformation from an IT centric to more data-centric attitude within IT departments and there was a fresh acknowledgement to get people who understand data to be better at handling it.

He said: “People move things and find things that they did not even know about and when you realise what your sensitive data footprint is you become less of a target. If you are not setting borders on where data should be, the borders are there and should be enforced by technology.

“Data loss prevention can tag data, you can use it to find information and add a third dimension.”

However Gabriel claimed that a problem with the DLP tool is that it is a ‘bottom-up IT-centric approach', with IT departments buying a solution and installing it without setting specific rules or automated procedures.

He said: “That does not work with DLP, it will deliver in-house policies and change the way you do processes. If it is not doing the job it is because you are not doing it right, you will get results if you implement properly.

“The attitude is that if you turn on enforcement, it starts disrupting business, so now it sits turned off or scaled back so much that it is doing very little. Also, if it is implemented with email encryption, it is all automated and it will look for exact data matching so false positives are kept down to a minimum.”

Gabriel added that often DLP enforces IT policy, however this needs to be regularly considered as ‘policy is not static and needs to change'. He said that there is a need to understand what the mandatory requirements are and to make sure businesses have got the requirements addressed.

Neil McLachlan, security services manager at Onyx, said that there is often a misunderstanding on whether the ‘L' in DLP stands for ‘loss' or ‘leak' and was it worth spending to get 90 per cent protection.

He said: “It has become a tick box culture, is there any point in putting DLP into an email gateway if someone can print a sensitive email off and put it into a briefcase and take it out of the building?”

Andrew Waite, security consultant at Onyx, said: “Until you get the basics right it is no good having it. You need to implement it right in the first place and not just tick a box. It is easy to be compliant and secure, but ticking a box is often just the baseline.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

UK police arrest trio over £1.6 million cyber theft from cash machines

UK police arrest trio over £1.6 million cyber ...

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.

Password recovery made too easy

Password recovery made too easy

A senior malware analyst has slammed the availability of a `password recovery' utility from Freehostia, noting that the software actually uses network admin utilities to take credentials from the users' ...

Belgacom says alleged GCHQ APT attack cost firm £12 million

Belgacom says alleged GCHQ APT attack cost firm ...

One year on from a nation-state APT which 124 systems at telecom operator Belgacom and the firm has detailed the cost and manpower involved in the clean-up operation.