We have been asked recently by several customers to look at the risk that data loss represents to an institution. It is an interesting journey each time because we are all conditioned by DLP (Data Loss Prevention) vendors to think of data loss through their lens, but the filters they apply often gloss over loss scenarios that they do not support.
We have found that it is best to take a vendor-agnostic approach, and to start by trying to identify all of the ways that data can be removed from the organization. We usually find that the “single bullet” DLP systems often leaves gaps that need to be remediated in other ways.
This week, we will look at just a few of the data loss vectors that you should consider when researching a new or existing DLP system, and a few other controls you can consider for each:
- USB Devices: Data can be removed by placing it on a USB device (memory stick, hard drive, etc.). Many DLP products provide the ability to block data from being placed on USB devices based on content of the data. Two problems we often see are that encrypted data can hide content of files so that they get past this control, and that some solutions react to files being placed on a USB device AFTER it is copied, meaning that someone could circumvent the control by removing the media at the appropriate moment. We encourage institutions to test their solution against these scenarios, and to consider simply blocking USB storage usage completely at the device level.
- Email Messages: Most DLP solutions allow blocking outgoing email messages based on content. But what happens of an employee encrypts an attachment before sending it? Make sure your DLP system blocks emails with encrypted attachments to mitigate this gap. Another mitigating solution is to seek a DLP or data governance product that would detect the sensitive data being encrypted.
- Stolen Computer: DLP systems do not usually cover theft of a computer as a loss vector, but it should be covered in your analysis. Most institutions encrypt laptop drives to protect from data being read from a stolen laptop, but there is still a risk of theft of desktop computers. Consider expanding the encryption practice to include desktop computers to mitigate this risk.
- Mobile Devices: With many vendors pushing mobile-centric strategies, it is difficult to strike the proper balance between making data available on mobile devices and protecting that data to the same level it is on a PC. When allowing staff to have access to email or other corporate data on a phone, it is necessary to consider many of the same data loss vectors that exist on a PC, plus a few new ones (“Can I copy data from my iPhone to my home PC? What about syncing it to iCloud?”). While some vendors are starting to integrate their Mobile Device Management (“MDM”) products with their DLP products, this has not yet evolved to full maturity. If you make data available to mobile devices, make sure you test your MDM solution thoroughly to understand any gaps that data could slip through.
Bedel Security helps institutions understand and control information security risk each day. If you are interested in assessing the risk of data loss or any other information security risks drop us a line anytime.
