Due to their size, enterprises have many security issues to consider when establishing a comprehensive data security strategy. One security need that is especially critical for larger companies - because they typically have many employees and large volumes of sensitive data - is proper data leak prevention.
As a provider of data loss prevention solutions to many enterprise companies, we wanted to learn more about some of the most common (and avoidable) mistakes companies make when using data leak prevention tools. To do that, we asked a group of data security experts this question:
"What's the biggest mistake companies make in purchasing and implementing data leak prevention tools?"
See what our experts had to say below:
Meet Our Panel of Data Security Experts:
Mike Meikle
Mike Meikle is Partner at SecureHIM, a security consulting and education company that provides cyber security training for clients on topics such as data privacy and how to minimize the risk of data breaches. He has worked within the Information Technology and Security fields for over fifteen years and speaks nationally on Risk Management, Governance and Security topics. He has presented for Intel, McAfee, Financial Times, HIMSS and for other Fortune 500 companies. He is also published writer with articles that have appeared in American Medical News, CNBC, CIO Magazine, Los Angeles Times and Chicago Tribune. He holds a Certified Information Systems Security Professional (CISSP), a Project Management Professional (PMP) and Six Sigma Green Belt.
There are two big mistakes companies make in purchasing and implementing data leak / data loss prevention tools...
The first is the lack of a data inventory and audit before a data loss prevention (DLP) tool is purchased. If a company does not know where its data resides, who its owners are, whether the data it stores is critical or non-critical and what data security regulatory requirements must met, then procuring and implementing a DLP tool before all these questions are answered is a path to failure.
The next mistake that is commonly made is to treat the implementation of a DLP tool as a technology project, not a business program. When an enterprise commits to the implementation of a DLP product, it must realize that the hard work begins once the tool is in place. Data will have to be discovered, classified and categorized based on a variety of factors on an ongoing basis. It will move from a project to a long-term program that must remain staffed for the life of the product.
If this is not done then the tool will eventually fall into disuse as staff is reassigned to other initiatives and executives place other priorities on the information technology department. A DLP tool and its program must be aligned with the business and have a business owner for it to be successful.
Carlos Pelaez
Carlos Pelaez is the National Practice Leader of cyber security firm Coalfire Systems Inc.'s practice area focused on serving Service Organizations and Internal Audit departments. He provides the framework and methodology to local audit teams so that they may be well equipped to validate compliance and cyber security needs for cloud based solutions.
The biggest mistake companies make in purchasing and implementing DLP tools is that...
They do not have an extensive inventory of their assets and data flows.
These are key because if you do not know all the servers, firewalls, and computers that you have in your inventory, how will you know where to prevent the leak? If you do not have a comprehensive view of the data flows of critical information in your IT environment, including the network and system jumps, how will you know what data is worth monitoring?
Companies forget to do the basis: complete a comprehensive inventory of all assets and map out all your data flows. These are not only a best practice, but a pre-requisite to maximizing your ROI when purchasing and implementing DLP tools.
Anatoly Bodner
Anatoly Bodner is an industry-recognized information and infrastructure security professional, subject matter expert and event speaker. Anatoly currently serves as the Information Security Officer and Director of the Data Protection Practice for NTT Com Security, a global security consultancy organization.
The biggest mistake we regularly see organizations make when making a purchasing decision on data protection technologies, including DLP, is...
Making a product decision without taking the time to define their data protection strategy and develop core technical and business requirements and environmental considerations.
My team engages with clients across different points of their data protection lifecycle, and we frequently see organizations making a reactive decision to acquire DLP technologies, and base their purchasing decision on either existing vendor preferences or pure pricing considerations.
When companies don't take the time to learn and understand the pros and cons of each technology offering against their core technical and business requirements, it frequently ends up back-firing. Selecting a solution that doesn't fit their core requirements can result in short and long-term technical integration and reliability challenges, high operational overhead, and missed business expectations.
Hitesh Dev
Hitesh Dev is President of CMIT Solutions of Reston-Herndon, the small business IT support and services company for Reston, Sterling, Herndon and Great Falls, Virginia.
As per my experience the 2 biggest mistakes companies make in purchasing and implementing DLP tools are:
- Not picking a tool specific to your domain. It is very important to pick a data loss prevention tool specific to the industry domain. For example, medical establishments are liable to hefty fines as per the HITECH act.
- Picking a tool with an inadequate rules/policy engine. A good DLP tool should have a strong policy/rules engine since most of the business value brought by DLP is driven by their processes, policies, and rules.
Reuben Yonatan
Reuben Yonatan is the Founder and CEO of GetVoIP - a comparison resource for cloud communication solutions. His writings blend commentary, research, and perspective on software trends, business strategies, and enterprise communication.
The one mistake that many companies make in implementing data leak prevention (DLP) tools is:
TOO MUCH DLP.
Yes, there is such a thing. Hear me out. You've undoubtedly heard the story of the boy who cried wolf. Well, you can cry wolf on your DLP too. Here's how:
- Encrypt everything. Everything needs to be safeguarded, right? Well, it turns out that no, some things need to be protected more than others. You have to do the hard work of classifying what you spend your time and money protecting.
- Find everything. On our lunch break, people do many personal things, like updating our social networking, paying some bills, and having private family communication. DLP can, but should not, sniff out personal information about employees.
- Block everything. Some filters err on the side of too much. If the threshold is too high, employees won't be able to do the right research for their projects.
- Think you know everything. Deploying DLP will not magically hide your data in another dimension where hackers can't get it. It will make things safer, but you have to be smart. DLP also won't do you any good if your password is 123456.
Bill Ho
Bill Ho is the the CEO of Biscom, the leading provider of secure file transfer, fax, and enterprise file synchronization and sharing solutions for the enterprise. He has over 20 years experience in the technology industry, heading security initiatives, and most recently participated in the Harvard Business School's panel on cyber security.
The biggest mistake companies make in purchasing and implementing data leak prevention tools is...
Not educating and investing in their employees.
There are many security technologies that can be used to prevent intrusion and data theft, but we can't just keep dropping money into firewalls, web gateways, IPS devices, and the tools of tomorrow.
Businesses have to invest in their employees, educating them on what to look for, what not to click on, and when to call the security office. It might not prevent every sophisticated attack, but it could help prevent the theft of millions of dollars.
In a recent incident, employees unknowingly downloaded malware when they clicked on emails sent by cybercriminals. That malware then allowed them to access ATMs, transfer money, and steal at least $300 million. But if the employees had been educated, had known not to click on the email attachments, had stopped to verify the identity of the sender, that amount may have been significantly less, if not zero.
We can't keep treating the end users as the problem. We have to treat them as part of the solution. They are our front line against attacks, and we need to prepare them as such.
Brian Dykstra
Brian Dykstra is the CEO of Atlantic Data Forensics, Inc., a full service Computer Forensics, eDiscovery, Cybercrime and Expert Witness services company located in Columbia, MD. Mr. Dykstra has over 20 years' experience in investigations, computer forensics, incident response, network and wireless infrastructure testing and information security. Prior to starting Atlantic Data Forensics, Mr. Dykstra was the CIO & Director of Professional Education and a founding member of Mandiant, where he was responsible for the development and management of numerous advanced computer security and cybercrime investigation courses. While at Mandiant, Mr. Dykstra trained over 400 FBI Cyber Crime agents annually as well as state and local investigators through a series of highly acclaimed cybercrime investigation courses. Mr. Dykstra was a Counterintelligence Special Agent and a certified Technical Surveillance Countermeasures (TSCM) Special Agent with the United States Army's Military Intelligence Branch, where he specialized in investigations and information warfare.
The two problems we've seen with purchasing and implementing DLP:
- Not fully testing and preparing to rollout a DLP solution. We've seen conflicts between various parts of the organization on DLP (IT vs Security, Security vs Ops, etc.). We've seen conflicts between existing management or security apps and DLP solutions. We also frequently see situations where the company implementing DLP hasn't fully classified their data and made decisions about what needs to be protected and to what level. All of these discussions can be time consuming and filled with disagreements, so they get avoided and result in an ineffective DLP program.
- Companies limiting the coverage of their DLP program due to cost or internal politics. Most small companies simply don't have the budget for a DLP solution, so we usually only see them implemented by the largest companies. No large company became large through strictly internal, organic growth. Large companies are usually the product of many years of mergers and acquisitions. Many times, large corporate networks are managed differently based on history, geographic location or business function. The result is that a DLP program is implemented in only one part of the company, leaving large quantities of the company's data in other areas unprotected.
Paul Caiazzo
Paul Caiazzo is a cyber security expert, entrepreneur and strategist. As Principal and co-founder of TruShield Security Solutions, Inc, Paul is responsible for developing corporate strategy and leading the technical product and service development efforts. Paul also is TruShield's federal service lead, and brings many years of experience solving complex cyber security challenges within the federal space. Paul participates in a number of federal-level working groups aimed at defining the standards and technologies the U.S. federal government will use to protect the security of government networks, including the Continuous Monitoring Working Group, the Continuous Diagnostics and Mitigation Working Groups, and the Federal Identity, Credential and Access Management working group.
There a number of ways to implement DLP tools, however there are some significant pitfalls which must be avoided to gain any true value from the not insignificant investment DLP represents...
DLP can be implemented in a network-centric or an endpoint-centric manner. Network-centric will monitor network traffic for keywords or file types being transmitted, usually at the perimeter of an organization's network, and alert an administrator when a potential violation occurs.
Endpoint-centric takes the approach of monitoring on the endpoints themselves - user workstations, servers where information is stored, or preferably both. Both have some pros and cons. Network-centric really only works in an organization with a centralized channel out of the organization. Organizations with satellite offices each with their own Internet connection will struggle to implement this effectively.
Additionally, a network-centric deployment is easily defeated by simply encrypting data, which neuters the DLP system's ability to perform the content inspection upon which it relies. Endpoint-centric, sometimes also called data-centric, is more effective in most cases, but also usually more expensive to implement. Since the monitoring occurs at the endpoint, it is more difficult - but far from impossible - to circumvent.
In both cases, proper configuration and ongoing tuning is absolutely vital. A poorly implemented or tuned DLP system will fire out hundreds, or thousands of false positives, and condition administrators to ignore the alerts, negating the investment in the technology. The DLP architect must bring together the network engineering, server engineering, desktop engineering, user support and, critically, information owners to identify controlled information, normal behavior and data flows, and anomalous behavior indicating potential policy violations.
All that said, no DLP is a silver bullet. An organization that employs a well-configured DLP system, but fails to implement controls blocking the installation of a rogue Wireless Access Point has given malicious insiders a covert channel over which to exfiltrate data in a completely uncontrolled manner. So, like anything dealing with cyber security, DLP is a link in the long chain of controls which should start with policy, training, and awareness, and end with technical controls which serve to enforce them.
Rich Silva
Rich Silva is the Founder and President of Pain Point IT Solutions Inc., a Managed IT Services Company headquartered in Poughkeepsie, New York. After a 19 1/2 year run as a manager of a Network Engineering group and IT Support group for the same company, Rich took the leap of faith and started his own company with the goal to provide small and medium sized businesses without full-time IT personnel the tools they need to maintain their IT and telephony systems.
The biggest mistake that companies make in purchasing and implementing data leak prevention tools is...
To believe that a hardware or software solution is the final answer to their issues.
While the technology is designed to assist, it is still imperative that companies educate their employees to the dangers of fraud as they still exist out there. I've worked with clients that had data leak prevention tools in place and their data was compromised when one employee opened the door to a cold-caller claiming to be from their IT support group requesting remote access to their computer. Education and awareness of scams is just as important, if not more, than technology.
Darren Guccione
Darren Guccione is the CEO of Keeper Security, Inc., a password manager and secure digital vault.
One core component that people should utilize and understand when purchasing and implementing data leak prevention tools is...
The concept of zero-knowledge security.
Zero-knowledge security means that the private encryption key resides with the user and encryption occurs at the device level (your phone, tablet, computer, etc.). This means that nobody (including the company that provided you the tool) except the user is able to decrypt and access their data. For people that utilize traditional cloud storage technologies, they should understand that with these technologies, the encryption key and the underlying encrypted file reside in the same place, so a hacker can unlock the files once they gain access.
There are several traditional cloud storage platforms today that do not practice zero-knowledge architectures. This creates inherent risks for a user since the provider can often access the user's encryption key and, theoretically, decrypt and view information being stored in the cloud. This further creates risk for the provider since a hacker, in the event of a breach, could potentially gain access to both the encryption key and binary file - which would allow the hacker to decrypt and view the data.
For zero-knowledge security platforms, the software provider does not have access to or knowledge of the user's master password or the encryption key and thus is not able to access those files, locally on a user's device(s) and in the cloud.
Two-factor authentication (2FA) is also a strong method to prevent unauthorized access from hackers. Implementing 2FA ensures that a user can confirm access through two methods, typically something the user knows (e.g. a password) and something in their possession (e.g: a smartphone).
Michael Fimin
Michael Fimin is an accomplished expert in information security and the CEO and Co-founder of Netwrix, the #1 provider of change and configuration auditing solutions. Netwrix delivers complete visibility into who did what, when and where across the entire IT infrastructure.
After your company has implemented a DLP (data leak prevention) solution, the biggest mistake is...
To think that expensive security policy components are effective by default.
Increasing investments on security measures still does not guarantee total protection. Your IT infrastructure, just like any house, can be burgled, being a target for attacks from outside as well as suffering from insider data leaks. The massive Target security breach is the brightest example - they had spent $1.6 million on a malware detection system, but still overlooked its warnings about the intrusion.
The main lesson companies could learn is to avoid having a false sense of security and act as if IT security has already been violated. Assume that your IT infrastructure has already been breached and try to think as a hacker. Where does he go next? What might he search? According to this, segment your network to complicate access to sensitive data and grant access privileges on a need-to-know basis. Always know what is going on across the entire IT infrastructure.
Complete visibility will ensure that no malicious activity is unnoticed. This practice will not only save you from security violations, but also will help detect security breaches early and fix vulnerabilities before it's too late.
Paul Kubler
Paul Kubler is a Cyber Security and Digital Forensics Examiner at LIFARS LLC, an international cybersecurity and digital forensics firm. He's a former employee at Boeing, in the Global Network Architecture division, the nation's largest private cyberattack target. With several years of experience in cybersecurity and digital forensics, he conducted a wide range of investigations, including data breached through computer intrusions, theft of intellectual property, and computer hacking. He has worked on hardening the systems and deploying protection over an international organization. He has also created business networks with a defense in depth strategy and implemented firewalls on these networks.
The biggest mistake companies make when purchasing and implementing data leak prevention tools is...
Thinking that this will make the data safe, and no more needs to be done.
There are a few situations that can bypass most tools: an insider stealing data they are authorized to access, privilege creeping or accidental access, or a hacker impersonating an authorized user.
In the first situation, which is a common occurrence, an employee steals the data they have legitimate access to because they are disgruntled or paid by an outside party.
In the second situation, the problem becomes permissions, where IT staff either lets users' permissions grow beyond what they need (the principle of least-privilege becomes violated) or they accidentally give a user unwarranted access to data. This can happen if the admin misspells a name or selects the wrong user to give access, or if they give full access when a user only needs partial.
The last situation is rarer, but can happen to employees who are not secure with their system accounts. This can happen if they leave passwords on sticky notes and someone else logs in as them, or an attacker cracks the password and accesses their account.
All of these situations can be avoided by: staff rotation, privilege audits, account protection audits, defense-in-depth, and a number of other techniques in addition to data leak prevention tools.
J Wolfgang Goerlich
J Wolfgang Goerlich is Cyber Security Strategist with CBI, an IT Risk Management company.
The biggest mistake we see companies making with data leak protection tools is...
Not considering the life of data leak prevention after implementation.
DLP has touch-points into acceptable use policies, security awareness, incident response, and more. Rolling from implementation into support requires managing these touch-points and integrating DLP with other security functions to operationalize the technology. When companies fail to see the return on DLP, the underlying cause is often the failure to shift smoothly from implementation to operations.
Paul Hill
Paul Hill is a Senior Consultant with SystemExperts, an IT compliance and network security consultancy.
The biggest mistakes that companies often make when purchasing and implementing data leak/loss prevention (DLP) fit into the following categories:
- inadequate risk analysis prior to product selection
- inadequate investment of time in configuration and tuning
- failure to set expectations with business units
- failure to work closely with business units when tuning the configuration
Selecting the right tool for an environment can be difficult. There are typically many potential egress routes for data. These may include removable media, email, instant messaging, ftp, web applications, and even paper copies.
The risks of each mechanism should be assessed to then determine which tool can best address the particular methods of egress that are deemed the most risky. Few, if any, tools will excel at DLP for all potential egress routes.
DLP tools can be disruptive to a business if not carefully configured and tuned. False positives can disrupt normal or essential business operations. To avoid this, many DLP tools default to a passive mode, simply recording potential leaks. This is done so that customers can tune the product to reduce or eliminate an excessive number of false positives before enabling prevention.
Unfortunately, in some organizations, the tool is bought, deployed, and its configuration is never adjusted. The tool quietly records detections, but it is never configured to prevent data leaks. In more than one case, an organization thinks it has prevented leaks, but is in fact only recording leaks.
DLP can be difficult to deploy successfully. It is not a matter of simply purchasing the product and turning it on. The team responsible for the operation of the DLP product will need to work closely with business units. It requires setting expectations and working with the business units to tune the system so that normal processes are not disrupted.
Carl Mazzanti
Carl Mazzanti is Founder and CEO of eMazzanti Technologies, Microsoft's 2012 Partner of the Year and 2013 Northeast Region Partner of the Year, and a premier IT consulting firm throughout the New York metropolitan area and internationally. His company specializes in multi-site implementations, outsourced network management, remote monitoring, and support for small and mid-sized businesses. Under Carl's leadership, the company has made the Inc. 5000 list of fastest growing companies five years running. A frequent business conference speaker and technology talk show guest, Carl has often contributed at Microsoft-focused events, including the Microsoft Worldwide Partner Conference (WPC). His clients have been featured in over 60 Microsoft videos and case studies.
In the security space, one of the biggest mistakes a company can make with data leak prevention is...
Overlooking the fact that one's own staff can be one of the biggest security threats.
While technology tries to address these challenges, only a combined effort from management and tools really makes the difference.
Dave Blakey
Dave Blakey is CEO of Snapt. Born in the cloud, Snapt's software-based application delivery controller (ADC) and load balancer solutions power fast, secure delivery of business-critical applications anytime, anywhere, on any device, platform, or cloud-based infrastructure. The South African company experienced 400% growth in 2014 and now serves 10,000 customers in 50 countries. This month they opened their first U.S. operations headquarters in Atlanta, Georgia.
What's the biggest mistake companies make in purchasing and implementing data leak prevention tools?
Not having a comprehensive solution.
Organizations need an end-to-end web application and database security solution to protect data, customers, and their businesses.
Unlike complicated hardware-based solutions that require advanced training and specialized users, software-based security and DDoS solutions provide greater performance and customization. They're also easier to use and can be run by anyone regardless of technical skill.
Luke Moulton
Luke Moulton has worked in the security industry for the last 7 years. He's now working with security startup BreachAlarm.com. BreachAlarm indexes leaked email/username databases, giving businesses and individuals an early warning system for data breaches.
The biggest mistake companies make is that they ignore the number 1 security threat to their business:
Employees.
Surveys have shown that 50% of people use the same email/password login details to sign up to online services. So what happens when one of these websites gets hacked, as global software provider Adobe did in 2013, spilling 152 million email/password records?
Hackers get hold of these email/password databases, readily available in public hacker communities, and run scripts to try to login to websites such as Facebook, Twitter, Ebay and PayPal. They run filters to find email addresses from large businesses that could lead to them accessing sensitive company data.
Mark Stamford
Mark Stamford President and Founder of OccamSec LLC, a New York city-based security firm. Mark has over 16 years' experience in IT security, operations, control assessment, and reengineering. Prior to OccamSec he worked for UBS AG as the director of threat and vulnerability management. Before that he worked at KPMG where he was a senior penetration tester and managed a variety of security engagements. Prior to KPMG he worked at a financial services company in London.
The biggest mistake companies make in purchasing and implementing data leak prevention tools is...
Not considering all the ways that data can in fact "leak."
Its not just someone putting PII in an email. Files can be uploaded to websites, data can be encrypted, USB drives, cell phones etc... the list of ways it can be taken out of an organization is almost endless (you can also print it on paper). Without considering the threats the organization is actually dealing with (who is going to steal this, why, and how) it is likely that the solution will be implemented incorrectly.
Tuning these tools also takes considerable effort. If you just "switch it on," you may get alerts for all kinds of things that are innocent (false positives), so there is configuration and baselining the environment is critical prior to deployment.
Dan Nelson
Dan Nelson is an accomplished trial attorney working in the area of commercial litigation and information security and privacy law at Armstrong Teasdale, a full-service law firm based in St. Louis, Missouri. Dan has tried over 40 cases to verdict and is named to The Best Lawyers in America® for commercial litigation. Dan is Co-Leader of the firm's Privacy and Data Security practice. He is a Certified Ethical Hacker (C|EH) through the EC-Council and a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals.
In my opinion, the biggest mistake companies make with data leak prevention tools is...
Not understanding what is meant by the word "tool." This mistake manifests itself in several ways.
Some companies view a new tool as "solution." It never is. Rather, it is a piece of a much broader security picture. And most of that broader security picture is human-related security, such as changing employee habits and inculcating a security mindset.
Other companies ignore the inevitable human interface. A tool that generates the most well-timed alarms is worthless if those alarms are ignored. Tools providing security logs are only as good as the people reading those logs. With any tool, it's not the tool, but the hand holding it, that makes all the difference.
Yet a third flavor of mistake is believing that today's state-of-the-art tool is an "investment," in the sense that there won't be similar needs in next year's budget. As fast as the cybersecurity industry can develop new tools, the hacker industry can develop workarounds. Perhaps faster. Most tools are well on the road to obsolesce the moment they are deployed.
Sorin Mihailovici
Sorin Mihailovici is the Founder of award-winning Scam Detector app, featured on ABC, BBC, CNET, Fox News, CBS, Kiplinger and many other media outlets. The app exposes the world's most notorious fraudulent activities (over 800) in all industries. Scam Detector educates the consumers on how these scams work and how to avoid them.
The biggest mistake companies make in purchasing and implementing data leak prevention tools is...
To believe that the tools themselves will solve all the leaking problems.
Several companies tend to forget that leaking is not done just via a computer. I cannot disclose the name of this company I got in contact with, but they invested close to $100,000 in a specific software, but failed to treat their employees with trust and respect. Throwing in their face that "You can't steal data from us regardless of how good you are" didn't guarantee the security needed. Rather, it made the employee underestimated and truly challenged his/her ability to prove the statement wrong.
