Share this e-book

T E C H N O L O G Y P A R T N E R S

Why Should Your Company Have a Data Loss Prevention Plan?

Brian Rosenfelt

• What is Data Loss Prevention (DLP)?

• How Data Loss Prevention Technologies Work

• Choosing a Data Loss Prevention Solution

• Steps for a Successful Data Loss Prevention Plan Implementation

www.skodaminotti.com | 440.449.6800 | 6685 Beta Drive Mayfield Village, OH 44143

T E C H N O L O G Y P A R T N E R S

01

Share this e-book

T E C H N O L O G Y P A R T N E R S

Introduction

Data loss events happen at businesses large and small - a lot more often than many of us realize. Although some are targeted and malicious, many of these events are caused by highly trusted employees who accidentally leak intellectual property and data into commonly-used, untrusted zones (personal email addresses, USB drives, etc).

It’s important to not wait until a breach occurs to implement data leakage solutions. Without a comprehensive security structure to your network, you may not even know if security breaches are occuring. We want to help you understand how your company should be protecting its most important information.

The topics covered in this e-book include:

• What is Data Loss Prevention (DLP)?• How Data Loss Prevention Technologies Work• Choosing a Data Loss Prevention Solution• Steps for a Successful Data Loss Prevention Plan Implementation

If you are interested in learning more about data loss prevention, and the solutions that are available to protect your company’s data, I invite you to continue reading this e-book.

About the AuthorBrian Rosenfelt, Technology Consultant - Skoda Minotti Technology Partners

Brian is a principal with Skoda Minotti Technology Partners. He has 16 years of IT experience. Prior to joining the firm, he founded Computer Troubleshooters Independence, after a successful career as a controller, CFO and perations executive in various industries.

Brian graduated from the University of Maryland’s Smith School of Business and holds an active CPA certificate. He also holds several telecommunication certifications, including being a Certified 3CX Consultant and FtOCC (Fonality Trixbox Open Communication Certification) from Fonality. He is a member of the American Institute and Ohio Society of Certified Public Accountants, the Society for Human Resource Management and the Northeast Ohio Software Association. He also spends time volunteering with Cleveland Social Venture Partners and the Jewish Community Federation.

02

Share this e-book

T E C H N O L O G Y P A R T N E R S

02

What is Data Loss Prevention (DLP)?

To understand the importance of data loss prevention for your company, I think it’s important that you first understand what data loss prevention is and the different kinds of data your company needs to protect.

Data loss prevention is a buzz word that’s quickly growing in popularity in the information technology world. Put simply, data loss prevention refers to systems and procedures that enable organizations to reduce the corporate risk of the unintentinal disclosure of confidential data. It may seem like a simple concept, but the leakage of your company’s intellectual property and/or confidential data could cost you in the ways of financial loss and fines brand damage, and more.

To help you understand how you can protect it, you need to know where your data lives. There are three kinds of data and this should help you understand each of them:

1. Data at Rest - To understand this concept, you can ask yourself, “Where is my confidential data stored?” This can be any data that is stored on file servers, databases, backup drives, mail servers, etc.

2. Data in Motion - Here, you can ask yourself, “Where is my confidential data going?” This can be any data that is moving throughout the network (especially from inside the network to outside the network via the Internet).

3. Data in Use - To best understand this concept, ask yourself, “What individual devices have access to confidential data?” This can be any data that resides on end-user devices such as workstations, laptops, tablets, Smartphones, external drives and other mobile devices.

It’s important to understand that a good data loss prevention solution will provide monitoring and protection for all three

categories of data.

“It may seem like a simple concept, but the leakage of your company’s intellectual property and/or confidential data could cost you in the ways of financial loss and fines, brand damage and more.”

03

Share this e-book

T E C H N O L O G Y P A R T N E R S

03

How Data Loss Prevention Technologies Work

So, we’ve talked about what data loss prevention is. And, maybe your company does need help implementing a plan. But, you want to better understand exactly how it works before you implement a plan of your own. We can help you with that.

Remember the three kinds of data we discussed earlier?

1. Data in Motion2. Data at Rest3. Data in Use

And, also remember, that we also mentioned a good DLP solution would protect all three types.

Here’s how an effective data loss prevention solution works to protect each type of data:

First, the solution must be able to monitor the network to ensure that “Data in Motion” is protected against unauthorized transfers. One example is employees emailing sensitive files to themselves using public webmail services like Gmail, Yahoo, AOL, etc.

Second, the solution should be able to monitor all file storage locations “Data at Rest” and ensure users aren’t manipulating that data in a way that violates the data loss prevention policy. For example, preventing employees from copying data from a file share to a USB drive.

Finally, the solution should have an “agent” component that can be installed to protect the “Data in Use” on end user devices, such as workstations and laptops to ensure that policies aren’t violated, even when those devices are outside of the corporate network.

Above all, the most important piece to a functional data loss prevention plan comes in educating the employees of your organization, so that they know and understand that they are responsible for ensuring its ‘health and safety’. Helping them to understand this concept, and explaining the ways your policy will work to do just that, can be instrumental to your data loss prevention plan’s success.

04

Share this e-book

T E C H N O L O G Y P A R T N E R S

Choosing a Data Loss Prevention Solution

If you didn’t know you need a data loss prevention plan before - you do now. Let’s give you a few more reasons why you should have one.

The obvious reason - To protect against intentional and unintentional data leakage. Above that, going through the process of creating a data loss prevention plan and policy gives your company intelligence as to where and how your data really is being stored, moved and used. Lastly, implementing a solution can help identify areas for process improvement (e.g. a developer sending source code to a home computer to work with because they didn’t have the resources they need in your office).

Here are a handful of questions that you can ask your provider when choosing your data loss prevention solution:

Where does the product look for data across your network? Does it find sensitive data just traveling your network, on your database and file servers, or does it look at data on local desktops?

Can the data loss prevention agents accomplish other security-related things on the endpoints? Some vendors can turn off USB connectors to block someone with a thumb drive from walking away with all of your customer data in their pocket. Others can control which applications can and can’t be run on your workstations, laptops or even tablets.

What protocols can be blocked or analyzed? Just protocols involving email (SMTP, POP and IMAP)? What about file transfer technologies or instant messaging?

How hard is it to create – and then change – the data loss prevention rules? A DLP tool is only as good as its ability to have rules updated easily over time. Can your IT staff (or outsourced provider) easily update rules as new threats are identified or company policies updated?

What happens when a rule is broken? Can you figure out who violated the policy, where the offending information is stored, and what kinds of automated responses can be sent? Does the product come with pre-defined templates to make all of this easier?

Is the content analysis portion a separate or integrated piece of the product? In some cases, such as McAfee’s data loss prevention solution, you are going to need several different products to be installed to enable a complete solution.

What kinds of reports are available, and are they easy to understand? Does the product offer any real-time reporting capabilities, and how flexible are these reports?

05

Share this e-book

T E C H N O L O G Y P A R T N E R S

Steps for a Successful Data Loss Prevention Plan Implementation

So, you’ve decided to implement a data loss prevention plan.

Once you have the systems in place to begin monitoring the data

within your organization, here are some steps that you can take,

internally, to implement a successful DLP solution:

1. Identify Key Participants – Assemble those that should be

involved internally when you identify data loss. Participants

may include IT, HR, and operations employees. Identify the

individuals and meet with them to work out what situations

they will need to be involved in.

2. Develop a Notification Process – Do you have processes ready if a regulated data breach occurs? Who will be notified? Is

your legal or compliance team ready to meet requirements, such as breach notification laws? Get your compliance people

in the loop and have them write the process with you.

3. Fix Broken Business and Weak Processes – Assume that you will find broken business processes, like automated file

transfers to partners in clear text over the internet instead of encrypted or over private line. You’ll spend time getting these

fixed.

4. Create a Plan for Handling Theft – Talk with HR to establish a process if you uncover insider theft. Give HR a heads up and

involve them in the roll-out. The insider may be at a senior level, so consider that, as well.

5. Establish the Response Team and Workflow – Map out your incident handling and resolution process, as a flowchart. Who

will be on the incident handling team? In larger organizations you might have: First level reviewer (making sure the incident

is properly classified with the right severity-typical in large enterprises), IT, Security, Compliance, HR.

6. Set a Timeline for Incident Resolution – Set goals for making sure incidents are handled in a timely manner.

• First level review of all incidents within x amount of time

• Resolve all high severity incidents within y amount of time

• Close all incidents within z amount of time (resolving incidents within 2 hours)

06

Share this e-book

T E C H N O L O G Y P A R T N E R S

Steps for a Successful Data Loss Prevention Plan Implementation (cont.)

7. Establish Reporting and Automate – How are you going to track things? Decide what reports you’ll need to have and

who should get them. Set up scheduled reports so that you know what is happening and that your team is resolving

incidents within your timeline. Reports for:

• Incidents Created

• Incidents Closed

• Open Incidents Status – by age, severity, owner

• A report sorted by the type of data or by policy that was violated

• Summary reports for your CSO or execs

8. Plan Roll-Out Stages – It’s important to plan your roll-out in stages rather than trying to attach the problem all at once.

• Select data and policies to be implemented in stages, e.g. first the customer billing database for PCI violations,

then the next set of data and policies for state privacy regulations, then company IP data and policies.

• Roll-out and test your policies in a monitor only mode, to set a baseline. But you have to be prepared for a sig-

nificant breach to happen. That’s why we advise people to anticipate data loss and prepare for it in advance.

• Decide when you will have the solution notify end users and what you expect of them. Use this for user educa-

tion about your polices on data handling. You can expect to see the number of incidents drop as users are

notified on each violation. Set up your reporting ahead of time so you can track.

For a no-risk analysis of your company’s data, or to simply meet and discuss your company’s data loss prevention needs, give our Technology Partners group a call at 440-449-6800.