Yet another example of a high-profile leak of confidential data hit the headlines last month with the Ministry of Justice (MOJ) fined £180,000 for the "serious failings" that led to the loss of confidential data. According to the ICO, the penalty was enforced after the loss of a hard drive containing information on nearly 3,000 prisoners at Erlestoke prison in Wiltshire. This is one of several data breach incidences that the public sector and MOJ has suffered. The MOJ was fined £140,000 by the ICO in 2013 after the personal details of all 1,182 prisoners at a jail were mistakenly emailed to inmates' families. More than ever, public sector departments and businesses are increasingly being fined for data breaches which could and should have been avoided. How can it be that even top performing enterprises and high profile government departments cannot adequately secure their data?
The two primary reasons for data loss of this kind are intentional and unintentional data loss.
As in the MOJ case, unintentional data loss is commonly predicated by employee error and can result in huge fines and cause extensive reputational damage. Data loss of this kind can happen to any employee with naivety, ignorance and ambivalence of employees the most common methods of unintentional data loss. It seems that despite all the sophisticated data stealing cyber attacks, employees will always remain the weakest link in the security chain. Employee awareness and education is therefore vital in protecting business critical data. Everyone in the organisation, from the boardroom down, must be a part of the data loss prevention business and ensure that processes and policies are adhered to.
Intentional data loss typically takes the form of dynamic threats established by online criminals and hacking groups. Common attack methods include spear phishing of specific executives or whole departments and Zero-Day exploits. According to Trend Micro, 91% of all successful APT attacks start with a spear-phishing email. Threats such as these are engineered to proactively steal confidential IP data and are an effective tool for hackers. For instance, the latest Department for Business Innovation and Skills 2014 Information Security Survey published this April found that 81% of large businesses had suffered a security breach by an unauthorised outsider in the past year compromising confidential information. All departments and businesses must realise that they are now at risk to hackers trying to plunder critical data.
What unintentional and intentional data loss has in common is the solution. Data loss prevention (DLP) programmes are the most effective way for government departments and businesses to protect themselves against the latest data breaching threats, whether that be intentional or unintentional. DLP programmes today form a necessary and business critical part of a modern IT infrastructure. By deploying a successful DLP solution the public sector and businesses can establish visibility to information that leaves the organisation, comply with state and sector specific compliance legislation, and detect malicious activity, whilst still enabling a flexible and secure working environment. For example, when implemented correctly, DLP solutions can show a significant decrease in policy violations simply by notifying the employees that they did something wrong.
Though there is no doubt that DLP can enhance your business practices and protect against the latest data breaching threats, it is important to note that a DLP programme will not solve every data issue. The management of a company must play its part as well. Management must accept the realisation that no matter how secure their system is there may be a time when a breach is discovered. What is important then is how they implement a suitable response plan. A designated response team, which includes management, IT, legal, business, marketing/PR and other critical departments, needs to be set up so that the business can act in a quick and co-ordinated way when dealing with a breach. In the MOJ cases, no such system was in place and so the situation could not be dealt with proactively, preventing the potential internal ‘blame game’.
The important question of how we monitor, manage and control outgoing as well as incoming data has become all the more relevant. Research consistently shows that many businesses and public sector departments are taking unnecessary risks with data management and that could prove to be extremely costly. Keeping business critical information safe is now a crucial part of a modern company’s IT infrastructure. If used in conjunction with other technologies, as well as a common understanding that we are all part of the data protection process, much can be done to improve your organisation with an effective DLP programme.
By Lior Arbel, CTO Performanta Ltd
Lior Arbel is the CTO of Performanta Ltd a specialist information security firm, securing enterprise businesses from the latest modern security threats. Arbel is responsible for leading the information security services provided by the company in the UK and leads the team helping customers to understand the need for data security solutions and the best practices for implementing such solutions.