The Revival of DLP
Over the past 12 months we’ve seen a large number of customers embarking on Data Loss Prevention (DLP) projects that either look to overhaul or optimise their DLP strategy. Despite the well-known complexity and difficulties that come with these projects, companies are still seeing it as a priority and challenge that needs to be addressed now more than ever. But why is this?
People want privacy
According to the Economist in 2017*, data is now the most valuable asset in the 21st century, outstripping oil (the most valuable asset of the 20th century). As individuals we experience organisations collecting data on us every day; banking, insurance, healthcare, social media, our employers and the list goes on. Thus, having control over where and when this data is used has become imperative for us all.
For the most part, we’ve seen governments and agencies recognise this and implement more comprehensive legislation that protects the public’s data and privacy. One example of this being Australia’s Notifiable Data Breaches Scheme, making businesses more accountable for reporting when they have experienced a data breach and ensuring they notify the persons affected as quickly as possible so they are able to take any necessary action.
Further to this, later this year, the Federal Government has announced there will be major changes to the Australian Privacy Act. These updates will introduce additional powers for the Office of Australian Information Commissioner (OAIC) and larger fines for organisations that are found misusing personal data. Organisations will potentially face $10million or 10% of their annual domestic turnover in fines (depending on whichever is greatest), if they are found to be misusing individual’s personal data. These updates will bring the Australian Privacy Act more in line with the General Data Privacy Regulation (GDPR) that came into effect from May 2018 (read our previous blog post here).
Most recently we’ve seen for the first time a past data breach has had a negative effect on its Moody’s rating^, with Equifax’s outlook being moved from ‘stable’ to ‘negative’ due to its data breach in 2017 and the ongoing fallout from it.
The challenges of DLP
So, as individuals are looking to companies to ensure that their personal data is protected and accounted for, how are organisations actually addressing this? Do they have visibility of where their data resides? Do they have the correct controls in place to identify critical data and to detect when data is lost or maliciously removed?
These are all questions that an organisation looks to answer but often run into hurdles, which make the process difficult and frustrating.
- It’s complicated – Companies are often battling with complex infrastructures that have a blend of legacy on-premise systems and cloud-based applications.
- It’s not classified – Classifying data within an organisation is time-consuming and difficult, but is necessary when undertaking a DLP project in order for it to be successful. Many businesses have some kind of legacy data classification structure in place
- It’s uncontrollable – Most businesses have an idea or know what controls and data loss prevention policies they have/would like to have in place but have trouble enforcing them.
So, how can organisations tackle these challenges?
Start with the basics
What data classifications does your organisation need? What makes sense to your business and what is most important? Many businesses come across hurdles when they haven’t fully understood the DLP requirements their organisation has and therefore find they are forced to use a technology that does not work for them. It is important that a thorough scope of the project is completed before a DLP or CASB solution is evaluated. Think about what your business is trying to solve and do you have the complete picture of your business-critical data before you embark on the project. Which brings us to our next point…
Speak to your stakeholders
Speaking to other stakeholders of the business such as; legal and HR, gives you valuable insight into where your business critical resides, who is accessing it and how it is used. This is invaluable for the start of any DLP project. No matter how well you think you know your company, you might be surprised at what you find when you delve a little deeper under the hood. This intel can help you determine what processes and controls need to put in place and mitigate risk across the organisation. It also means that you are able to prepare and minimise any disruption to the organisation during DLP implementation.
Phase it in
Companies will often attempt to deploy DLP solutions all at once, without taking into consideration potential business disruption. By taking a calculated phased rollout, businesses can help to minimise disruption and tackle any potential issues one at a time. Completing the deployment in phases also gives organisations to learn at each stage and make adjustments where necessary. Thus making the project progress more smoothly and gain confidence from other stakeholders and senior management.
Stay tuned for next week’s article where we’ll share how we work with our customers to assess their current DLP capabilities, by mapping their business needs against their current technology stack and giving them actionable insights into how they can improve their DLP strategy.
*The Economist – The worlds most valuable resource is no longer oil but data
^ CNBC – Moodys downgrades Equifax outlook
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help