An ounce of prevention is better than a pound of cure
The famous quote from Benjamin Franklin on prevention being better than a cure could easily be applied to the issue of corporate data losses. It’s far better to stop breaches happening, than to try and clean up the fallout afterward.
Corporate email presents one of the biggest risks of accidental data loss. In fact, given the sheer number of emails an organization sends every day, breach incidents are inevitable. Common mistakes include auto-filling the wrong email address, attaching a different file than the one intended, or sending out sensitive data that really shouldn’t be emailed.
Anyone within an organization could potentially cause a data breach, at any time and in a matter of seconds. Employees may not realize what they’ve done until after the email has been sent. Unfortunately, just one such incident can damage a businesses’ reputation and lose customers.
A CSO from a large organization recently confessed to me that most of his time is spent trying to protect users from their own mistakes. When it comes to securing a key business tool such as email, companies should think about educating employees even before deploying any technological safety net.
No malice intended
Our research found that about 90% of data loss incidents are innocent errors. Most of the time, losses result from very simple actions, such as an employee sending a file to their personal web mail account, so they can work on the document from home. Although the employee has good intentions, such practice is often against corporate policy and can run the risk of turning into a data breach.
So how can businesses efficiently prevent data incidents from happening? Involving individual employees in the corporate security process is the only viable approach to avoid data loss incidents. It is also the only way to turn a DLP solution into a truly preventative tool – as opposed to a reactive tool.
For businesses, proactively educating users about the potential security issues that can arise from seemingly innocuous actions – like sending an email – and reinforcing their overall DLP awareness, will provide the first key defense against data breaches. Let’s take a closer look at this user-focused approach to DLP and how it could work.
Advance warning
First, in order to increase the user awareness, an effective DLP solution will alert the user before they can send a suspicious email that may cause a loss incident.
Let’s take the scenario of an employee who has composed an email, addressed it and clicked on the “send’ button. A useful DLP solution should analyse the body of the email with its attachments compared with a set of pre-defined characteristics to identify potentially sensitive data. This could include for example, certain key words in the email body text such as “financial’, “report’, “specifications’, “confidential’ and so on.
In addition, file types such as spreadsheets or presentations with financial data, confidential records, or strategic material may need to be carefully scrutinized.
If the DLP solution detects a potential breach based on this analysis, it will override the “send’ instruction and present the user with a pop-up alert to inform them of the potential data loss and ask how they wish to proceed. The user will have to decide whether they: a) want to send the email and its attachments as it stands; or b) realize that they have made a mistake, correct the body text or remove the suspicious attachments. There should also be the option for the user to leave a brief explanation as to why they overrode the DLP solution’s alert.
Users decide
But what happens if, after seeing the pop-up alert, the employee decides to send the email anyway, resulting in data loss? The DLP solution keeps records of all of the user’s actions, of the fact that they were alerted, as well as the justifications they provided, giving an audit trail for subsequent analysis. This establishes a clear chain of events when reviewing a data-loss incident, which is useful for internal review and external compliance purposes.
The aim is to create a decision point for the user, encouraging them to review what they plan to send, increasing their responsibility, and helping to correct any digressions from the company’s security policy before an incident happens.
Preventing loss, reaping the gains
To summarise, the benefits of this approach to DLP fall into two main areas. It allows companies to significantly reduce the number of data loss incidents upon deployment. As employees experience the DLP solution in action, they will learn more about data loss, how it typically occurs and how to avoid it. This encourages adherence to company security policies. Over time, pop-up alerts to users will most likely decrease as users become increasingly aware of the types of activity that trigger an alert.
Also, engaging the users in the DLP process will directly benefits the organization, by reducing the burden of day-to-day security management from IT staff. The majority of decisions about whether content can be sent or not, is taken by users directly – a sharp contrast to previous-generation DLP solutions that require IT staff to check every email flagged as a potential risk. Empowering the user enables IT teams to focus on more strategic tasks, instead of getting bogged down in email approvals.
When it comes to preventing data loss in the corporate environment, technology alone is not the answer, but it can be used as a safety net. This, combined with educating users to become more aware of the impact of their actions, is the best method for minimizing the overall security risks. Benjamin Franklin was right: an ounce of prevention truly is better than a pound of cure.