There’s only so much IT security can do, especially if errant employees leave laptops on trains or post CDs of unencrypted data in Jiffy bags. Implementing the right systems is vital, but it is equally important that the right people processes are put in place. What technologies and processes can help IT leaders prevent costly data leaks?

Replies from the experts

The prevention of data loss, whether accidental or deliberate, cannot be tackled as a stand-alone issue. Information security must be addressed at a strategic level, incorporating a host of compliance issues including processes for staff joiners/leavers; temps; contract staff; visitors; building security; asset security; internet and email usage; system access control; password security and data encryption. It is not only critical to have policies that say what is and is not acceptable practice, but also enforcement which makes it more difficult to do the wrong thing. Detection and follow up action also need to be implemented when, despite warnings, someone decides that information security is not something which applies to them. There are some great tools which help to achieve enforcement. Quality laptops include the option to encrypt and password or fingerprint protect an area of hard disk and are engineered to withstand a reasonable degree of physical impact. Broadband bandwidth means that it is perfectly feasible to carry out incremental backups of remote PCs, and nearly every system has the option to enforce regular password changes.

Sandra Smith, head of information systems, Toshiba UK

While no single set of security procedures will meet the needs of every business, Corporate IT Forum members advocate a three-pronged approach to data protection based around technology, policy and education.

Encryption of both data and device is commonly used by large organisations and one of many tools available in the corporate armoury. The key here is the effectiveness of the solution which will balance the capability of the technology against its ease and practicality of use. In addition, the whole organisation, not just IT, must buy into good security practice. Policies concerning data must be set at the highest level and complied with by everyone – no exceptions.

Also you will want to ask who has access to the most valuable data, and who’s most likely to be accessing it via a device beyond the safety of the corporate boundary? Having comprehensive, practical guidance around usage and personal responsibility and not a list of “don’ts” is vital. Combine policy with education by devising a programme of ongoing learning and awareness-raising. Users must understand why security matters, what the risks are and how they can combat them. This way security becomes a culture not a dictate.

Ollie Ross, head of research, The Corporate IT Forum

Starting with a framework is essential to avoid overloading laptops with lots of different software from different suppliers. The framework will include systems such as access control, virus protection, data privacy, recoverability and online security. Another important aspect is ensuring that your staff’s needs are taken care of and that your implementation has minimal impact on the team. For example, avoid software that takes up a lot of memory and slows the laptop. Also avoid the necessity for different passwords for different software; go for the single sign-on approach, ideally with two factor authentication. Finally, when implementing a policy, ensure staff understand and appreciate the risks and implications.

Dharmesh Mistry, chief technology and operations officer, edge IPK

It all starts with a comprehensive and realistic information security risk assessment by the line-of-business owners. Without visibility into what data is out there, and what risk its loss poses to the organisation, the tasks of setting rational and effective policies and developing a technology strategy are that much more difficult.

Data leak prevention (DLP) and access management technologies can both help. DLP encourages organisations to discover and classify data and provides the kind of automated detection, enforcement and auditing needed to help users stick to the rules. Adopting strong authentication, the principle of least privilege ensures only authorised and responsible members of staff have access to sensitive data. But a coherent, well-designed set of policies supported by appropriate technologies is worthless unless the policies have two sets of teeth: enforcement and remediation. Employees need to know that there are real consequences to policy violation. And the subject of the data ¬ for example, the customers – needs to know what the data owner will do to shield them from risk due to their data being lost.

Bill Nagel, analyst, Forrester Research

While most security is an outside-in battle against intruders, data leaks are an inside-out struggle against human error. You need to be able to look deep within the infrastructure, identify data at risk and put controls in place to keep it from falling into the wrong hands.

Data is fluid and humans are amazing in their ability to unintentionally evade the most well conceived control schemes. Therefore, data leak prevention is by its very nature a dynamic process that demands real-time visibility into what is going on in the network and the ability to quickly propagate and deploy policies and countermeasures as things change.

There are plenty of DLP products out there, but it’s the visibility and management structure underneath a specific DLP tool that will make the difference between keeping the stable door closed or chasing the horses all over the countryside.

Amrit Williams, chief technology officer, BigFix