The increased enforcement from the Information Commissioner's Office (ICO), introduced earlier this year, has created many talking points within the information security sector.
With the commissioner now able to issue a fine of up to £500,000 for ‘a deliberate or malicious data breach', this has led to organisations taking the issue of data loss much more seriously.
So in meetings over the last few weeks with some of the vendors in this sector I asked the question, 'has increased enforcement led to greater interest in data loss prevention (DLP) technology?'
Neil Stephenson, CEO of the Onyx Group, claimed that the increased enforcement has led to a mad rush from organisations to make sure their data is as secure as possible. With government regulations enforcing rules around storage of information by businesses, making them hold data for up to seven years after use, comes issues for organisations needing to keep up with guidelines on data storage, protection and management.
Stephenson said: “Securing data is key. Critical to this is the need for companies to review their data management systems. Investing in a robust system is vital but in order to truly secure data effectively, reliable management processes need to be put in place internally.
“Staff have an important role to play. With capacity for data transfer higher than it has ever been, through the emergence of popular online sharing sites and mainstream access to mobile devices with large memory capacity, personal data breach issues with people moving data unnecessarily or even taking it off site must be curbed.”
Onyx Group recommended: that internal process and restrictions must be enforced upon staff, as well as investment in encryption software for sensitive and confidential data; education on the importance of securing/protecting data and the consequences of a data breach; deleting information once it falls outside of the seven-year regulated period; and providing a transparent record and robust reporting system of all data collection and harvesting activity for potential audit trails.
A survey earlier this year by CA Technologies found that 64 per cent of UK organisations are not using DLP technology. Its research cited the ICO's increased enforcement and said that DLP tools are increasingly being used for information control purposes.
Simon Godfrey, director of information security, risk and compliance at CA Technologies who won the SC Award 2010 for best DLP solution for its CA DLP, said that it was seeing an appreciation in the management of information and an understanding of what should and should not be scanned.
He said: “It is essential that they have a good view of the information and if it is clear that the information is contravening company policy, you can put a warning notice on it saying ‘just so you are aware' and then ‘are you sure you want to send this?' This will help to change the culture and not to send to a private email address instead. It is really helpful and essential because if things are out there you get a responsible employee and that is the key difference.”
Asked if the increased enforcement has caused added interest in security, Godfrey commented that the marketplace is using the ICO's powers as a purpose for having solutions in place, and the increased enforcement has raised the bar. “It is good that things are being taken more seriously and if you do not you are at the risk of facing a serious penalty,” he said.
James Lyne, senior technologist at Sophos, said: “I think that there has been an increased interest in DLP. It is a wonderfully broad term and it is a significant market over the past 12-14 months with lots of technologies ranging from the hyper to the completely inadaptable, which I would say has been the majority down to simple practice, and I think that the new powers and the focus on data prevention has certainly driven more for us, we have customers coming back to us and asking about DLP.
“The interesting thing is that it has been in our product line for some time and a lot of our customers have come back to us and said ‘we didn't know you did DLP' and switched it on. So I would say definitely yes, there is more awareness and it is great because it is now challenging what has been a relatively immature area of technology. People are demanding that it become practical and cost effective.”
Jackie Groves, head of the data protection business unit for UK and Ireland at Sophos, agreed that there had been increased interest, and said that the other area was that a lot of companies are quite indecisive about what they are going to do about it.
She said: “There are a lot of customers interested but many are debating on what to do about it. They are compelled to do what they should do and are unsure on whether to take on this or whether to get out there and do something with the data that they have got. So there is a large weave of end-users who have not dipped their toe in the water and gone out and put an action plan in place.”
Martin Hoskins, head of data protection and disclosure for T-Mobile and Orange, said: “Companies are interested in DLP without the threat of the ICO's fining powers; it is a fear of the threat to the reputation. That is just as significant to any powers of enforcement that they have.”
Stewart Room, partner in the privacy and information law group at Field Fisher Waterhouse, said: “From a legal perspective, clients are instructing us on the legal obligations for DLP. I remember the former information commissioner Richard Thomas speaking here and talking about technologies, and in the same sentence where he said you have to use encryption technologies. He then went on to say ‘and DLP'. So as a regulator he was already aware of DLP and some of the security vendors have spent time with the ICO to generate awareness so it did filter into the legal arena.”
What it seems is that there is a lack of knowledge among employees about sending material, which can be countered by efficient DLP solutions. There is no doubt that DLP has taken a step up in terms of the solutions available. Websense recently launched a free solution, while Check Point added a DLP solution to its software blade architecture and Blue Coat added appliances earlier in the summer.
There is a hope on my part that DLP was deployed anyway and the threat of an increased fine has served to ensure policy is up-to-date. In terms of the question of whether increased regulatory powers have caused an increase in DLP, I would hazard a guess as a yes, not because of the threat of a fine, but because the reputational damage of a data breach could be far worse.