At the RSA security conference in San Francisco in April 2008, early adopters of data loss prevention (DLP) technology argued that bad business processes are the chief cause of information losses, bringing risks that far outweigh those associated with malicious attacks.

DLP tools bring together data discovery, classification and policy management products, allowing organisations to govern how important or sensitive information is accessed and moved. The past year has seen a number of firms specialising in this area being acquired by major security vendors such as Websense and Symantec.
The introduction of DLP at credit agency Equifax proved to be a real eye-opener, said Tony Spinelli, chief security and compliance officer at the firm.

“It brought it home to us that people had no idea that we even had a data use policy. The issues that arose were not about malicious activity, but about old, bad business processes,” he told delegates.

In one case that was uncovered, the finance team would routinely reply to an invoice submitted by a temporary staff agency. Because the agency had submitted social security details in an unencrypted form, it had never occurred to the finance team that by simply replying they too were sending out sensitive information with inadequate controls, said Spinelli.

At Lincoln Financial Group, a trial of the technology also unearthed alarming instances of previously unseen poor business practices. Pat Lefemine, chief information security officer, explained that he had even discovered that his chief executive’s home address and social security number had been sent out in an unencrypted email. “After that, I didn’t have too much of a problem making the business case,” he said.

But while DLP has helped these early adopters to minimise the risks of data loss, its introduction requires careful planning, experts said.

If organisations are looking to implement best practice in handling data, they need to get line-of-business leaders to buy into the process, warned Rhonda MacLean, global chief information security officer at Barclays. The discussions around data loss can get “emotional” she explained, and frequently business managers choose to deny that poor practice could emanate from within their unit. “You need the cold facts, figures and names to drive that point home,” she added.

DLP potentially allows businesses to enforce a company-wide data usage policy, said Equifax’s Spinelli, but it is vital to get your human resources and legal teams to help construct that policy, so that any exemptions can be properly managed.

So while DLP can help mitigate risks, IT leaders should be aware of the overheads associated with it. MacLean explained it had made many business leaders within Barclays aware of the need for greater use of encryption, but that could potentially lead to higher charges for their IT services. As security professionals “we need to think about how we can commoditise some of these services. When business units buy desktop services, they automatically assume it will be secure, so we need to think about how we can build encryption into the prices we charge”, she said.

There may also be a technical overhead, suggested Spinelli, who added that DLP tools can be “very CPU intensive”. Equifax monitors every piece of data crossing its network and checks it against a 300 million-line database, used to categorise sensitive data. This is done in 11 milliseconds by “throwing CPU capacity” at the analysis.