As Ben Franklin said – “an ounce of prevention is worth a pound of cure”.
Three misconceptions regarding data protection and data loss prevention are prevalent in small to medium sized organisations - whether in manufacturing, distribution or education or in a service business. In my professional security practice over the past 5 years providing expert data loss prevention solutions to clients in the Middle East and Europe I have discovered that the first step to getting an effective data protection solution is – getting a little knowledge.
Here are three simple and cost-effective data protection steps for SMEs – starting with dispelling the misconceptions.
Misconception No. 1 – I have a Checkpoint firewall, therefore my data is protected
A firewall protects ports and protocols from malicious external attackers. If you allow outbound access on HTTP (which you do in order to run your business), then your data can be leaked or stolen by trusted insiders, malicious insiders, malicious outsiders or business partners. Data loss is any unauthorized network transfer of sensitive data on any channel and keeping the bad guys out won’t keep the good stuff in.
Misconception No. 2 – I need an endpoint agent DLP solution
Of course that’s what McAfee and Symantec and Trend Micro want you to think.
In our experience, and according to the The Verizon Business data breaches investigations – 99% of all data loss events involved servers not Windows PC workstations
The Verizon Business Report on data breaches 2009 also reveals that:
- 91% of attackers were organized crime
- 74% of attacks by malicious outsiders
- 67% of vulnerabilities due to system defects
- 32% implicated business partners
Misconception No. 3 – DLP (data loss prevention) is expensive and complex
Of course, DLP vendors like Websense want it to be expensive and complex – how else will they make money off a small niche market? For an SME – there are 4 guidelines for cost-effective data loss prevention:
- Don’t store credit cards in your data bases. Just don’t. If you do CC transactions, delete the data after you transmit the authorization request.
- Don’t bother with business process and data mapping. Ask yourself what is your most valuable data asset (customer list? student privacy information?) and how much money it’s worth to your business. The general manager, finance director and IT manager can do this in an hour instead of shelling out 500 hours of billable professional services to your lawyer or security consultant.
- Write a one page AUP (acceptable Internet usage policy), have your employees read, understand and sign. Make sure the boss(es) lead by personal example.
- Monitor your outbound traffic for those valuable data assets you defined. I suggest using Fidelis XPS, Spector 360 or Infowatch Traffic Monitor. The prices are suitable for SME and you will get great mileage on your Dollar or Euro – with low cost of ownership compared to products from companies like Symantec or Websense.