New Urgency in DLP Leads to Rush to DLP Silver Bullet?
A new article from banktech.com says that companies in the financial services industry “are finding that data loss prevention is taking on a new urgency.” With the daily laundry list of new data breaches and the never-ending media coverage, it’s no wonder financial services companies–and those in many other industries–are taking note. At DLP Experts we have seen this same level of urgency with many security professionals being ordered from the top to address the problem. Quickly.
I’m a proponent of DLP technologies. Some have even called me a DLP bigot. However, I don’t believe that the answers lie just in DLP technologies. DLP technologies are, after all, only tools to enforce the data protection policies that should already exist in every organization.
At the risk of sounding like a broken record, it’s critical for every organization to recognize that data protection is a process and that DLP technologies are one step in that process–step four, to be exact. To deploy DLP without having completed steps one, two and three, will leave an organization vulnerable to situations that DLP technologies cannot address.
So, with this newly-found sense of urgency to protect data, my fear is that companies will run straight to the nearest Office Depot, pull a can of extra-strength DLP off the shelf, come back to the office, pop the top and… let the sun shine in on data protection nirvana! Sorry folks. I was being facetious; that isn’t going happen.
First, DLP is not a silver bullet and can actually provide a false sense of security. This false sense of security is what gets companies into trouble.
So, before you reach up for that can of extra-strength DLP, think about steps one, two and three (and all that goes with them):
- Do I know exactly what data I need to protect? Where it resides? Who owns it? Who touches it and why? Do I have the input of all data owners in the company? If you don’t know what you’re trying to protect, you’ll have a heck of time protecting it.
- Do I have policies in place that explain what we need to protect and why we need to protect it? If so, are they updated to reflect our current data and environment? If not, you’d better get cracking and develop those policies. Steps one and two will drive how you eventually implement DLP enforcement technologies.
- Do your employees know how to protect sensitive data? Do they know what constitutes sensitive data and why it needs to be protected? Have they been given detailed data protection policy and sensitive data awareness training? Have they signed on the dotted line acknowledging that they could lose their job for not complying with these policies? Are they counseled when they do something stupid that puts sensitive data at risk?
These three steps are critical, yet the tendency is to rush out for a does of DLP. Don’t let the urgency of the situation cause you to forget the first critical steps!