Q.  What is all the hype around data loss and leakage, and why should I care?

A.   Over the last several years we’ve seen fewer and fewer widespread attack campaigns across the Internet. However, there has been a large increase in targeted "zero-day" exploits and underground attacks designed not to draw attention. Flying low and slow, they instead focus on system vulnerabilities to steal the crown jewels of the digital age — our most precious data. The threat is real, and any organization that stores sensitive information is susceptible.

Q.  Over the last several years we’ve invested heavily in patch management to ease the crisis tied to system vulnerabilities. Should I still be concerned?

A.  Yes. While patch and configuration management systems do solve very large and complex problems, not every exploit we’ve seen in the wild has a corresponding patch, hence the impact and danger of the zero-day exploit. Also, not all data loss occurs through malicious behavior. For example, simply mistyping an email address or selecting the wrong print queue can potentially cause sensitive data to end up in the wrong hands. And to the best of my knowledge, there isn’t a patch out to fix human error—yet.

Q.  Well that’s an ugly picture. Am I doomed, or is there something I can do?

A.  Organizations have been dealing with this question for decades (just talk to Coca Cola about attempts to steal the magic formula). However, some new data loss prevention (DLP) solutions have emerged to help organizations stop sensitive data from escaping.

Q.  How are these products implemented?

A.  The only effective DLP solutions combine gateway and agent-based protection. In other words, we have to analyze traffic as it exits through your gateway and also examine how data is being copied, printed, transmitted or manipulated. Because so much data leaves organizations through allowable mediums such as email, Webmail, USB drives, file shares, etc., a gateway-only solution isn’t enough to prevent leakage. For example, how would a gateway solution prevent an employee from copying credit card numbers to a laptop or flash drive and stopping off at the nearest WiFi hotspot to email them out through Gmail? Gateway solutions also fail to prevent users from copying, printing or even encrypting data. Agent technology solves these problems by examining the data at the user level and determining which actions are allowable per company policy.

Q.  How will a DLP solution know which data shouldn’t be transmitted, copied or manipulated?

A.  Data classification is an extremely valuable exercise for any organization that stores sensitive information. While technologies do exist to help the process, it’s best to start with a manual effort to find, prioritize and classify your data. Several major consulting firms can help, and if your organization uses an external financial auditing firm, they should have knowledge of your systems, processes and potentially your data repositories as well. Once you’ve identified and tagged your critical data, you can then import this information into the DLP product. An effective solution will allow you to classify data by location (file share, etc.), content (what sets of data exist in the document, database, etc.), and file type (spreadsheet, database, text document, etc.).

Q.  What can I expect to see after I implement a DLP solution?

A.  At first you’ll probably see a lot of alerts. But don’t fret—most of the activity will probably be non-malicious behavior by employees who simply don’t realize that they’re violating policy. You should probably start in "audit mode" to lower the amount of false positives and hone in on the data you truly want to keep guarded. Then give your employees time to adjust, and reset their expectations through good communication. Changing behavior doesn’t happen overnight, but it can be done.