In today’s always-connected world, where almost all information is stored digitally, it is critical that sensitive and privacy relevant data protection is assured. The advent of fast communication technologies such as 4G and home broadband, ubiquitous mobile devices and availability of free or low cost ‘Cloud’ services have resulted in easy and convenient transfer data options. Often this is in contravention of corporate policies and regulatory requirements and represents an increased risk to the company, its people and the data subjects. Loss of privacy relevant data is set to become a very big issue with the new EU General Data Protection Regulation (GDPR) on the horizon.
The European Union General Data Protection Regulation (GDPR) is the biggest change in data privacy protection for over 20 years. GDPR covers all of the EU and anywhere that does business with an EU based entity irrespective of their global location. If you want to do business with anyone in the EU, you must be GDPR compliant. Penalties for non-compliance are also severe with fines of up to €20m or 4% of group gross revenue, whichever is greater.
The recent Brexit vote in the UK changes nothing from a GDPR perspective for those who wish to do business with EU entities.
The deadline for compliance is 25 May 2018. After this the regulatory gloves will be off. This may seem a long way in the future but it is not that long given the amount that needs to be done to be able to demonstrate compliance, not just pay lip service!
Data Loss Prevention (DLP) is not a new technology. It is already present in many companies, but few use it effectively.
Put simply, DLP is a combination of people, process and technology elements that can contribute to a wider security programme and assist with compliance. But like many complex security technologies DLP needs focus, resources and a clear understanding of how it works and how to deploy it to achieve your objectives effectively.
DLP can identify sensitive and privacy relevant data whether at rest, in use, or in transit - both in its content and its business context. It can warn users or take action, to prevent the data being disclosed in an unauthorised manner irrespective of whether this is malicious or accidental. Unfortunately, the identification of sensitive data can be a significant challenge due to the number of variables present across the vast number of different data types in any company. DLP can also enable the automated identification of sensitive data in a business process oriented manner. However, the effort required to tune content identifying rule sets to avoid false positives and false negatives should not be underestimated.
In legal and regulatory terms there are many factors to consider with the use of DLP. In some cases, it is mandatory to meet current and future regulations, e.g. EU GDPR, for protecting personally identifiable information. There are also considerations in the area of employee relations, unions and work councils.
Can you meet the requirements? What can help you in meeting compliance? What can DLP help with?
DLP may be able to identify the transfer of sensitive data internally or externally. The question then becomes ‘So what do we do with this information?’
Different DLP solutions offer a variety of options. However, these can be classified into three large groups:
Moving to active actions is a major step as this may impact employee’s ability to perform their role. Generally, DLP deployments start with passive monitoring to help tune the content recognition and discovery rules and ensure minimum business impact. Semi-active can then be initiated, to introduce employees to the new monitoring without affecting what they are doing. Active monitoring is a big step due to the business impact this can have and concerns over end user dissatisfaction. Some DLP solutions may be able to apply active monitoring to pre-defined data types to reduce the business impact, for example only privacy relevant data.
Whilst it is recognised under law that companies have the right to protect their business and data, it is also recognised that employees do not lose the right to privacy upon hire and also that privacy is a fundamental human right that cannot be removed. In order to manage privacy effectively with regard to DLP there is no single, simple answer that can be applied everywhere. Technology solutions alone are not enough. Companies should follow recognised best practices and deploy the right framework of policies, training, user facilities, openness, communications and executive support to effectively implement DLP and maintain employee relations.
Implementation of DLP can help meet all the regulatory requirements stated earlier in this discussion. It cannot, however, do this in a fully automated fashion and so requires skilled resources to perform activities and make decisions. Further value from DLP can be leveraged via a Security Information Event Management (SIEM) system capable of cross referencing DLP information with other security relevant data sources. For example, you may have a monitoring system that tracks data going to Cloud applications or repositories, identifying the user name and type of sensitive information sent to them, rather than just knowing that an amount of data is transferred there, can be achieved via the big data analysis capabilities of a SIEM.
So although DLP can be a powerful tool, implementing it is not as simple as you may think. Analysing current usage patterns will enable you to ensure that authorised facilities are provided to the end user population and reduce the business impact of DLP, especially before moving to an active prevention model.
Scott Bancroft is a Principal Consultant at Capco. He is a cyber security specialist with over 25 years of experience across both cyber security and service e-management. A former Chief Information Security Officer (CISO) of large technology and major pharmaceutical companies, Scott has a wide breadth and depth of experience across all aspects of cyber security, including policies, strategies, implementation programs, manufacturing and security management improvement. He has built effective security teams and functions in global enterprises.
The content and opinions posted on this blog and any corresponding comments are the personal opinions of the original authors, not those of Capco.