If you expand beyond the desktop to other endpoints, the problem intensifies. Think of point-of-sale terminals. The very public, very costly TJX data breach started with POS terminals storing data they shouldnt have.
1. Identify the five or six pieces or types of data that would cause serious problems if it left the organizations. Examples include social security numbers, customer credit card numbers, sales records and intellectual property. |
2. Figure out where sensitive data is stored within your organization. Older companies will often find that sensitive data is all over the place, even on employee desktops.
3. Once you know where that data is, establish polices for how it is created, stored, accessed, shared and secured.
4. Monitor and enforce data protection policies on email, web mail, IM and other methods of communications.
5. Create and enforce policies for data stored on endpoints and removable storage.
According to the Payment Card Industry Data Security Standard, a standard that specifies how merchants handle credit card data, personal information on magnetic strips should not be gathered and stored. Unfortunately, this sensible privacy/security process often conflicts with marketing and sales processes, which have organizations gathering consumer information wherever and however they can.
In the case of TJX, information that shouldnt have been gathered was, and it was stored in a poorly protected manner.
Everyone needs to become much more data aware, said Carol Baroudi, research director, security technologies for AberdeenGroup. At the very least, organizations need to ask: Where is data stored? Who has access? How is it protected?
DLP attracts VC cash
Since it is so easy for organizations to overlook flawed processes, and so easy for data to travel practically anywhere in the typical e-business, DLP vendors like Verdasys and Vontu are trying to automate the discovery and enforcement of business policies as they relate to sensitive data.
At the most basic level, these tools scan information traveling over corporate networks and block so-called structured data, things like Social Security or credit card numbers which are easy to spot because of their consistent formats. The more sophisticated of these tools investigate the content of the data itself, attempting to protect less structured information like intellectual property.
The DLP approach to data protection seems to be catching on, with the space attracting a lot of VC money. Recently, it has also seen a string of acquisitions, with DLP startups being gobbled up by established security vendors. RSA acquired Tablus, Websense bought PortAuthority, and just last month Symantec snatched up Vontu.
The recent series of acquisitions within the DLP market offers strong evidence that DLP is in reality a small part of a much larger and emerging data security market, Munroe said.
According to Munroe, as global companies seek to increase user productivity, business agility and competitiveness through greater collaboration between employees, partners and outsourcers, they are often brought up short when they start thinking about the risks associated with sharing data freely. Until those risks are addressed, the productivity gains promised by collaboration and agile business practices will fail to materialize, with the risks outweighing the possible gains.