9 tips for effective data loss prevention training – Part 2

c. Role-based training – Training in the abstract is seldom as effective as training that connects with an employee’s day to day job responsibilities. When developing a data loss prevention training program, a one-size-fits-all approach is unlikely to work especially in medium and large-sized organisations. IT security administrators must craft different DLP training programs depending on the employee’s role in the organization and the confidential data they are privy to. Ideally, there should be a basic data loss prevention training program for all employees then role-specific modules to address the data loss risks specific to certain jobs. For instance, the areas of emphasis in a data loss prevention training module for system and network administrators would be different from the areas of emphasis in a training targeting procurement and finance officers. At the end of role based training, employees must be well versed in how they would respond when they are confronted with a particular scenario that is common to their job.

d. Make training a continuous process – There are two main reasons for ensuring data loss prevention is an on-going process. The first is the inherently finite retention capability of the human mind. One of the most widely accepted principles relating to any form of education and training is that you are more likely to remember something for the long term if you hear it more than once. No matter how effective a training program is, it is unlikely to bear the desired results if it remains as a one-off event that takes place when the employee first joins the organisation.

The second reason for continuous training is the changing dynamics of the data loss landscape. Technologies in use in the office environment are constantly evolving. Just a few years ago, the laptop was the most significant point of vulnerability when it came to data loss via portable devices. Today, the points of vulnerability have grown to include smart phones, tablet PCs and high capacity removable hard drives. If an organisation does not schedule regular refresher training for all employees, members of staff may employ tactics that are out-dated and inadequate in dealing with the realities of new technology. In addition, DLP policy and procedure should not be static. Changes to policy may not only be driven by new technology but also by changes in the regulatory environment. The training should therefore provide an opportunity to bring employees up to speed with any amendments to data protection policy and procedure.

Most progressive organisations ensure that all employees undergo refresher training on data protection at least once a year. In addition, certain jobs that would be considered high risk as far as data loss is concerned could be scheduled for a higher training frequency e.g. every six months. Such high risk roles include system/network administrators and customer service representatives.

9 tips for effective data loss prevention training – Part 1

Given the large percentage of accidental data loss incidents that originate from within the organization, training is a must for any IT security administrators that would like to keep such employee-originated incidents at a minimum. Yet, not all training is equally effective. There are a number of ways that IT security administrators can make data loss prevention training effective and not just a routine employees need to go through to demonstrate compliance with internal training policy requirements.

a. Integrate data loss prevention training in overall staff education program – There are a number of benefits that would be realised by incorporating DLP training in the larger staff education strategy. First, it makes it easier to track compliance. Most ERP and HR systems have modules for tracking the training of each employee in an organisation. If each employee is required to attend at least one online or classroom DLP training session, such systems allow HR staff to quickly pull a report any time it is required that would show the list of employees that have gone through the training and those that are yet to do so.

The second is organisation. If DLP training is scheduled very close to other staff educational programs, the effectiveness of the training could be tempered by training overload. As long as timing for DLP training is planned with other educational programs in mind, programs can be spaced time for maximum effect.

The third benefit is consistency. Organisational policy and procedure is not static and the subject of different areas often overlaps. For instance, data loss prevention policy overlaps in a number of respects with an organisation’s confidentiality policy, HR policy, IT policy, general security policy, record retention policy and legal policy. Any changes to these policies that touches on the organisation’s DLP policy should be reflected in the DLP training. That way, employees will not hear one thing in the HR policy training sessions and a different thing in the DLP training sessions.

b. Utilize all available channels of communication to disseminate data loss prevention awareness – The practicalities of training mean that most organisations are unlikely to be able to train all their employees more than twice a year. In fact, training once a year is the rule in many companies with the only exception being staff in high data loss risk and privileged access positions. So how do organisations ensure that data loss prevention remains at the top of mind of each employee? By combining training with awareness. Awareness can be as frequent as bi-weekly or monthly and may involve different channels including email, newsletters and articles on the first page of the corporate intranet. The communication can be as brief, simple and general as logging out of one’s workstation after use and secure disposal of paper documents when no longer required.

Meta keywords – data loss prevention training, DLP training

Meta description – Data loss prevention training is a must for any organisation that would like to keep employee-originated data loss incidents at a minimum.

Data loss prevention risk assessment – A four step process

A risk assessment is one of the most important processes in DLP software implementation. Without it, business executives and IT security administrators may be groping in the dark and install otherwise great DLP systems but that have less than desired results in preventing data leakage. Even in instances where a data loss risk assessment is performed, not all such assessments are carried out correctly. The following is a guideline on the four key steps that any DLP risk assessment must entail.

a. Requirements gathering – You cannot prevent data loss without clearly defining what it is you want to secure. During the requirements gathering phase, clearly document your organisation’s key privacy and data security priorities as relates to confidential information on whatever medium it is stored. During this phase, consensus must be arrived at with all key stakeholders including the identification of high risk data as well as senders and recipients of such data. Organise forums where security managers, IT managers, business line managers, project manager, subject matter experts, key decision makers and information owners drawn from different departments can brainstorm on the possible worst case data loss incidents. One of the key results from the requirements gathering phase would be a Severity Scorecard where scenarios would be graded depending on their impact on the institution.

b. Policy definition – Once the requirements have been determined, data protection and data loss prevention policy can then be clearly defined. The policies should be consistent with the priorities established by the requirements gathering processes.

c. Monitoring of confidential data – This is where an appropriate DLP software is selected and installed based on the overall requirements as well as the policies defined. The selected software is the one that demonstrates the ability to fulfil all (or closest to all) the expectations of the data protection policy. The ideal DLP system is one that comprehensively monitors data in motion, at end points and at rest. It should have the ability to intercept and see through all key protocols and media formats including email, FTP, instant message and web data. To ensure uninhibited access, there will be need to tweak the configuration of Active Directory and similar network management tools to ensure that the software has the required levels of access to all data that needs to be monitored. The monitoring by the DLP software helps dimension the quantity and complexity of data that needs protection.

d. Presentation to executive management – All key decision makers are called in for a presentation on all key findings. The presentation should be brief enough to hold the executives’ attention but long enough to capture all the important elements of the risk assessment. A 45 minutes to one hour presentation will usually be more than enough to present all the ‘headlines’ and provide a basis for subsequent decisions.

Emergence of DLP tools for tablet PCs

Symantec recently announced the deployment in 2012 of DLP software specifically built for tablet PCs. It would be easy to dismiss this as yet another attempt by a high profile vendor in the security space to ride on what is the fastest growing niche in the computer-smartphone market. In reality however, the growing use of tablet PCs and their gradual creeping into the workplace environment makes it difficult to ignore the unique threat these new gadgets pose.

As institutions seek to cut costs while improving process efficiency, the concept of ‘bring your own’ is becoming increasingly common. And now that tablet PCs are edging out laptops and desktop computers as the preferred device for personal computing, it is not surprising that there is more intermingling of personal and business data through these devices. Businesses are now waking up to the potential loophole that tablet PCs may be present on an otherwise secure network.

Of course Symantec’s announcement is not the first foray by security vendors into securing mobile devices. There have been a number of attempts to protect tablet PCs and other portable devices but these have run into a number of challenges.

Probably the biggest hurdle is the new territory that the most dominant operating systems in this niche present. Unlike the laptop and PC market where Windows is the leading operating system, the iPad’s dominance means over 85% of tablet PCs run on Apple’s iOS. The iOS is legendary for firewalling its apps thus preventing intrusion from outside as is expected in conventional DLP installation.

The second most dominant platform is Google’s Android OS which, though drawing alot from Linux, is still a different proposition to the platform most DLP software is built for – Windows. Whereas some experts have projected growth in the use of Windows Phone OS thanks to Microsoft’s collaboration with Nokia, the iOS and Android OS are currently the most relevant platforms for tablet PCs that DLP vendors must focus their energies on.

It is the difficulty in securing the iPad via conventional DLP techniques that has probably seen Symantec take a different approach of focusing on the communication entering or leaving the iPad via HTTP and HTTPS protocols. Unsurprisingly, this is achieved via an iPad app that identifies all HTTP and HTTPS data packets then routes it to an enterprise DLP server prior to forwarding to their intended destination.

The Symantec DLP app for the iPad is an extension of Symantec’s enterprise DLP offering and integrates with the same server used to protect data on the laptops and desktop computers on the same network. The major drawback of Symantec’s solution falls short in a number of areas. The main drawback is its inability to filter data transferred from the iPad direct to a laptop or computer via a wireless LAN.

Privacy impact analysis and DLP systems

Data loss prevention software straddles a delicate line that other IT security systems do not. In many respects, DLP software is intrusive. The need to perform content and context analysis on data at rest, in motion and at end points inevitably involves sifting through tons of irrelevant and out of scope data.

Some of this data is private employee information. Because of privacy laws in many key jurisdictions the world over that provide stringent guidelines on handling of personal information, a privacy impact analysis is an important part of any DLP implementation.

But what is a privacy impact analysis? In a nutshell, it is the assessment of the privacy risks posed to individuals by any process that involves the collection, distribution, disclosure and use of their information.

The goal of the PIA is to proactively identify these risks then develop appropriate measures to mitigate against the impact of such risks materializing. In many major business jurisdictions such as the US and the UK, there is no law that explicitly requires organisations to perform a PIA.

There are many reasons to do a PIA prior to procuring and implementing a DLP system. First, it helps IT security administrators identify privacy risks to employees. Second, it creates a clear picture of the liabilities a business can expect to face if it does not comply with relevant privacy laws.

Third, PIA builds confidence in employees that management is indeed committed to ensuring that DLP software will not unnecessarily intrude into their privacy and that DLP implementation will be carried out within the confines of privacy laws.

Fourth, the PIA reduces the likelihood of expensive correction later on when it is realised that a certain aspect of the DLP system configuration is in conflict to privacy laws. Last, it builds overall institutional awareness on the legal framework that regulates the greater data protection sphere.

The best time to perform a PIA is when an organisation has determined the need to install a DLP system. However it ought to be before any difficult-to-rollback decisions are made, before the software is procured and before any vendor contracts have been signed.

There are ideally two phases of a PIA. The first is an initial assessment that determines whether there are grounds to conduct a fully-fledged privacy analysis. This should be very early in the DLP framework i.e. at policy and strategy definition.

The assessment would look at who are the key stakeholders in the DLP implementation space and determine who is likely to be affected. Naturally, employees are the most affected demographic for DLP software but it is possible that other groups too may be impacted such as third party service providers.

Once this initial assessment is complete, a decision can be made on whether an intensive PIA is necessary. If it is deemed necessary, the full-scale PIA involves delving into the potential liabilities, consulting with all key stakeholders and developing solutions that would mitigate all significant risks.

Third Party Service Providers and DLP

‘Outsource’ is one of the big words of the business environment today. In the past, organisations would do virtually all their tasks in house and only look outside for stationery and equipment supplies. Nowadays, the agenda has shifted toward pushing to third parties all processes deemed ‘non-core’ so more energies can be devoted towards ‘core’ processes.

In some cases, the information that is entrusted to the third party is relatively harmless. But at other times, it is necessary for a third party entity to be granted access to sensitive information. The nature of information sharing may be to the extent that the third party not only accesses and processes the data, but that they also manage and store it.

And it is herein that lies a major risk of data loss. An organisation must ensure that all third parties that handle its sensitive data do not become weak points for data leakage. This is because even when processes are outsourced, ultimate responsibility for securing sensitive data still rests with the organisation’s management.

One of the most effective ways to ensure that a third party does not become a weak link in the data loss prevention chain is by carrying out a risk assessment. Because the confidential information handles by different third parties may be of varying sensitivity, the third party data risk assessments should be planned and performed based on an initial appraisal of the third parties.

A data loss risk assessment may be performed remotely or at the third party’s site. Remote assessment would be done through questionnaires, telephone calls, review of emailed documentation and boardroom meetings.

An onsite assessment is far more involving and will usually start with some elements of remote assessment such as telephone calls, emails and questionnaires, before one or more site visits are conducted to confirm the state of affairs on the ground.

The data loss risk assessment should not be a one off event where a third party is evaluated once and deemed compliant going forward. Best practice requires that the risk assessment be conducted at least once a year to ensure that the data loss prevention standards at the third party remain at the desired level.

In case any control gaps are identified during the data loss risk assessment, the third party should provide an acceptable timetable for corrective action after which a mini-assessment can be conducted to confirm that the issue has indeed been closed.

DLP considerations in managing employees leaving the organization.

Statistics have shown time and again that the majority of data loss incidents today are attributable to current or former employees. But it is departing employees that probably present the greater risk. Whether they are leaving voluntarily or involuntarily, a departing employee does not have the same degree of allegiance to the organisation as the colleagues he or she is leaving behind.

Despite the unethical and unprocedural nature of the practice, it is common place (almost acceptable in some industries) for departing employees to carry some confidential organisational data with them to their new employer. Businesses must therefore establish a structure that makes it difficult for an employee leaving the organisation to depart with sensitive information.

Preventing data loss through an employee on their way out of the organisation can be achieved using DLP software. However, DLP software can only be as effective as the overall organisational policy and procedure around departing employees.

So how should IT security administrators counter the data loss risk from departing employees? First, all, managers and supervisors in an organisation should be charged with the primary responsibility of notifying IT security administrators of any change in employment status of the persons under their charge.

The notification must be done as soon as possible but with an upper time limit e.g. 24 hours. Every minute that passes without the ex-employee’s system rights being disabled after they leave is one more minute of risk to the organisation in the event the ex-employee decides to go rogue.

If the departing employee is not leaving immediately e.g. if they have given a one month’s notice to leave the organisation, then the communication to IT security administrators should also include such information.

For the entire process to work well, the time limit within which supervisors and managers must provide communication of their direct reports leaving the organisation must go hand in hand with similar time limitations for IT security administrators. Some organisations give IT security administrators 7 days within which they should make the changes.

But 7 days is too long a time given the amount of data that a rogue ex-employee can retrieve. Instead, a tiered approach may be more effective where sensitive accounts such as system administrators are disabled within 24 hours rom when information of the employee leaving is received.

There should also be regular access right reviews. At least every 6 months, managers should be required to assess and attest to the rights of system users in their department.