Article provided by Westcon
Perhaps more than any other element of the digital age, ensuring data is not lost or compromised must be considered one of the most important strategic interventions a business of any size can implement. Data has become the lifeblood of organisational success, and without it, no company can hope to survive.
This does not only mean protecting data from malicious users but also putting the systems in place that deliver business continuity and disaster recovery at times of crisis – very much like South Africa and numerous other countries around the world are experiencing with the COVID-19 pandemic.
Fortunately, regulatory and compliance measures have long been in place to ensure companies take the required steps to protect sensitive information and prevent its inadvertent exposure. This information can encompass everything from financial data, credit card details, identity numbers, and health records. Data loss prevention (DLP) policies are therefore critical for businesses to identify, monitor, and protect this data across the plethora of applications they use.
“Understandably, this is a complex process given how pervasive data has become in the business. The explosion of the Internet of Things (IoT) resulting in more devices connecting to the corporate back-end, an increasing reliance on unstructured data (using social media to identity consumer trends), and a mobile-centric lifestyle mean decision-makers are under pressure to find ways of automating this compliance as much as possible,” says Prebashini Reddy, Microsoft Cloud Solution Provider (CSP) and Volume Licensing (VL) Product Manager at Westcon-Comstor Sub-Saharan Africa.
Companies such as Microsoft have incorporated DLP into many of their solutions. The Office 365 productivity suite, for example, has DLP as an integrated and automated intelligent service. This looks for messages, files, and documents across the company that contain sensitive information and applies configurable policies about what can and cannot be done with that data.
“As businesses embrace the cloud, solutions such as this designed to protect sensitive information and its inadvertent exposure are more important than ever. The financial and reputational consequences of anything happening to corporate data see companies take this threat very seriously,” says Pete Hill, executive director at Greendata.
Protection from themselves
Having DLP tools in place means an employee is unable to send sensitive information to someone outside the corporate network. Furthermore, it counters the growth of shadow IT that sees people use consumer-centric solutions in the company environment without approval. With DLP, it will not be possible to save corporate data on a public cloud storage service. Any malicious or accidental attempt to do so will not only be blocked but flagged for the IT team to follow up.
Much of what DLP does is through rules and policies that define the types of files and data considered to be sensitive. In some respects, this is a very business-centric way of limiting data exposure to unauthorised people. This intervention is greatly enhanced by cybersecurity solutions that are more focused on malicious attacks.
“The DLP feature in Office 365 automatically classifies data and use the policies put in place to prevent unauthorised access to classified content. It is also not limited to the productivity suite but can identify sensitive information across numerous locations, including OneDrive, Microsoft Teams, and so on. It supports both cloud and on-premise versions of the Microsoft software and delivers a continuous monitoring service, so management can put their efforts on more strategic initiatives,” says Reddy.
Having such an integrated approach helps people stay compliant without interrupting their workflow. If someone tries to share a sensitive document, the DLP policy can send them an email notification and show them a policy tip in the context of what they wanted to share.
“With so many instances of data compromise occurring due to mistakes by employees, DLP is essential but must form part of a broader educational strategy by the business. People must understand what constitutes sensitive information, what can and cannot be shared, and where they can store this data. Some companies might take a ‘police state’ approach to this, but others who use automated DLP tools can have a more people-centric way of dealing with data,” adds Hill.
Despite the benefits of automating DLP, the policy must still be structured according to specific guidelines. As such, there must be basic elements such as where the content locations are that must be protected. Also, when and how to protect the content by enforcing rules based on certain conditions (the type of information the content contains) and actions (what will happen when certain conditions are met).
The DLP tool must also create incident reports to send to the compliance officer or any other designated individual. This will include information about what was trying to be shared, who was trying to share it, and the severity level of the data based on its sensitivity. In turn, this can be used to identify trends in the kinds of data that employees share and highlight what must be done to educate them to minimise the risk of a repeat occurrence.
“And while DLP is a prevention mechanism, the technology also enables users to exchange encrypted and rights-protected emails safe in the knowledge that it will not be compromised. It gives companies complete control over their data, whether that is stored on-premise or in the cloud. Policies are flexible and customisable to suit changing market conditions. For example, Office 365 DLP can flag more than 80 sensitive data types to ensure sensitive information is protected as determined by management,” says Reddy.
DLP is a more intuitive way of walking the line between remaining innovative with data analysis and guaranteeing that data privacy is maintained. It is not about limiting collecting and using customer data but rather assisting with guidelines, so these actions conform to compliance and regulatory requirements.
“When implemented correctly, DLP can unlock opportunities for innovation while still positioning the organisation as a responsible corporate citizen. The reputation of a business is affected by its privacy policies, and DLP can ensure these are better aligned to the organisational strategy and help drive future growth,” concludes Hill.