Creating an effective Data Loss Prevention strategy
The value of Data Classification: Creating an effective Data Loss Prevention strategy
Two fundamental questions need to be answered up front:
What are your most valued assets?
Where are they?
Answering the first question may require some discussion – the board needs to be aware that the most valuable assets of any organization are likely to be its brand, its people, and its digital assets.
In fact, 85% of business assets are now in digital form.
To understand the value of information itself (especially at scale), we need only look at how much Facebook paid to acquire Watsapp: $19.3 billion in 2016! Apparently, the deal was sealed at Zuckerberg’s home over a bottle of Jonny Walker scotch.
“But isn’t watsapp free to download? I don’t see any adverts in watsapp? Does this mean we will have to pay to use watsapp, and will we now be bombarded with adverts?” No, no, no.
So why on earth would Facebook pay so much for a free and simple app? The value lies in the number of users, and the data that they generate…
Think about the analytics that can be run on all that rich, raw data. I would ‘hope’ Facebook respect privacy and stay within the bounds of the law, but I am certain they ‘sweat’ their digital assets by running all kinds of interesting algorithms and analysis.
The Senator may seem a little outdated, but his question about how Facebook makes profits from a free app is a good one. It is not purely based around their ads, as Zuckerberg implies: https://www.bbc.com/news/technology-43735385
Data is extremely valuable, not just to cyber-scum criminals, but to business itself.
If your business is not extracting value from its data at scale; that is something that should probably be looked into…
Back to my point - question number 2: Where do these digital assets exist?
You need to understand what you are trying to protect, why, how much protection is needed, and yet make this information available to the right people at the right time.
This is where a good Data Classification Policy comes into play.
First, define what information is important to your business. “Importance” is driven by what your business does with its data, what laws apply, and what potential harm could be done to your organization should any of this information land up in the wrong hands.
It is usually best to keep data classification simple: Public, Internal and Confidential. Adding more classifications increases complexity for your staff, who will need to be trained in how to handle classified data later on.
Some companies add Strictly Confidential to the list of classifications, to protect things like trade secrets or data that is highly sensitive, but I think keeping things simple reduces the likeliness of human error when marking/handling sensitive data. Just ensure the scope covers all types of sensitive data.
Types of sensitive information typically include: personally identifiable information (PII), credit card data, intellectual property (IP), trade secrets, health data, contracts, financial information, etc...
Now that you know what you want to protect, the next step is to identify and tag/mark this data.
There are many great solutions that can help automate this process, such as Boldon James for data tagging and Varonis for data discovery... Unfortunately, I haven’t found a solution which does data discovery, tagging and data loss prevention (yet), so a combined approach works best.
Two considerations for tagging digital information: structured data (such as a database) and unstructured data (such as a filing system). Both must be covered during the data identification, classification and tagging process.
Reducing the attack surface: “He who defends everything, defends nothing”
The main objective of data classification, identification and tagging is to figure out where your critical assets exist within your organization.
You can only begin to defend this data once you know where it is (logical, right?)
Techniques such as encryption, network segregation and even changes to business process must be considered to reduce the attack surface as much as possible. For example, does your company Intranet really need to be public-facing? Do your IT admins really need to access credit card data?
The biggest mistake I see many organisations making is that they try to defend everything all at once.
Or worse, they simply ‘check’ off the legal boxes and forget about information risk management altogether! This is a losing strategy, even if they think they can transfer some risk to a cyber insurance company – reputation damage and accountability cannot be outsourced.
Once you have defined what is important to your business, detected where all this data is, and marked it according to your classification policy; only now can you implement a Data Loss Prevention (DLP) strategy.
The DLP strategy must be based on risk. It must align with organizational objectives, business continuity goals, risk appetite, budget constraints and, of course, it must meet the various regulatory and compliance requirements.
There are a million and one solutions out there to protect your data, but the great thing is now you can select those solutions which are designed to prevent data loss, such as data loss via your internet proxy, email, SFTP servers, firewalls and even anti-virus (Trend do DLP on the end-point, for example).
Many of your existing cyber defences probably already have DLP capabilities which are not being utilised, so by marking sensitive data, you can now leverage these controls to get the most value out of them. But do it in learning mode, first! DLP controls should not disrupt normal business operations.
The real point about an effective DLP strategy is figuring out what you want to protect, where it is and how you can reduce that attack surface before even considering what controls to implement.
Once you have ring-fenced your critical information assets, applying data loss and other controls to these zones using a defence-in-depth approach is the best way to stretch your budget and maximise returns.