According to survey monkeys at CA, 64% of UK organisations have not deployed Data Loss Prevention (DLP) technology. This ranks the UK behind France (only 23%), Ireland (50%) and Italy (60%).
Without taking the necessary steps to identify sensitive data throughout the enterprise and protect it from loss or misuse, there is the risk of severe consequences for non-compliance, potential damage to the brand reputation, and reduced competitiveness.
According to the study, IT departments across the UK are struggling to deal with compliance issues, such as the Payment Card Industry Data Security Standard (PCI DSS) and the ISO 27001 information security standard. Surprisingly, they are unaware of how technology could help and many are unable to convince the business of the inherent risks to justify the required investment. This is despite the fact many UK organisations expect data privacy and national security to be the two areas of regulation that will impact them the most in the next five years.
With more organisations adopting cloud computing to process and store data on an infrastructure managed by third parties, the need to apply security policies at the data level is stronger than ever. The CA survey highlights that IT security is a key factor in enabling the use of cloud computing among UK organisations.
DLP tools help with understanding the sensitivity of data and enable real time decisions to be made about what is and is not allowed to be processed and stored in each cloud environment. Employees should not be expected to understand all the issues, and may be completely unaware that copying a document from one location to another is moving it from an internally managed to a third party infrastructure.
A lack of time, a ‘lack of compliance vision’, and scarce resource availability mean that IT managers find it difficult to address many compliance issues. All of these problems would easily be solved if organisations could track and control their data more effectively. However, it would not appear to be a priority: the research reveals that ‘tracking the use of data’ is believed to be less of a hindrance to compliance among UK organisations.
Those charged with managing IT security are most concerned about the activities of external users. They are also concerned about the compromise of sensitive data, Internet use, and the activities of internal users. All of these are linked: it is the sharing of data between users (often over the Internet) that is behind many of the well publicised incidents involving the loss of sensitive data.
To be effective, a COA requires three fundamental elements in place. First, identity and access management (IAM) solutions which allow organisations to understand people, their roles and responsibilities, and to define and enforce their privileges. However, only 27% of UK organisations have a full IAM system in place.
Second, a COA requires the ability to locate and classify data?52% of respondents say they have a system in place. The third element required to support a COA is a way to enforce policies that link people’s roles to the use of that data. Many Data Loss Prevention tools automate the second and third elements?albeit to varying degrees. And as indicated earlier, 36% of UK organisations are currently using DLP technology.
Besides providing the capability to accurately discover and classify data, this identity-centric approach also helps police its use in a business context: enabling the monitoring and inspection of information, while enforcing pre-defined policies depending on the rights of the individual concerned. Ultimately, organisations need the ability to strike the right balance between effectively protecting their critical information from abuse, while adopting flexible security measures that enable users to perform at their best.
DLP tools are also increasingly being used for information control purposes, especially as regulators continue to take more heavy touch enforcement actions in an effort to achieve more credible discipline and deterrence. For example, the Information Commissioner’s Office was granted the power to issue large penalties, which are designed to act as a deterrent and to promote compliance with the Data Protection Act. This succeeds in further raising the need for ownership to the board level.
“The survey findings, provide clear and timely evidence that UK organisations require DLP technology in order to effectively support their compliance requirements, protect their brand value, and maximise competitiveness,” said Simon Godfrey, Director, Information Security, Risk and Compliance, CA. “As network perimeters continue to blur, it is clear that security needs to be applied to the data throughout its lifecycle. Information needs to be understood with policies applied to enforce who can use it and how”.
He added: “Linking DLP with IAM provides the right combination to achieve this: allowing organisations to discover, monitor, and control critical information wherever it is located, while ensuring that the information is only used by the right individuals in the right way and according to their roles and privileges. In essence, with the proliferation of sensitive information across enterprises, this combination enables a much-need practical approach for applying the principle of least privilege.”
Bob Tarzey, Analyst and Director, Quocirca commented: “Recent high profile data breaches demonstrate that electronically-stored data is often insufficiently cared for. This failure to protect data is costly, not least because of the level of fines now being imposed by regulators. On top of this there is the reputational damage and loss of competitive advantage that usually ensue.
“The technology exists today to link the use of data to people through enforceable policies. This allows a compliance-oriented architecture to be put in place based on widely accepted information security standards, such as ISO27001. Doing this enables UK organisations to allow the safe sharing of information?both internally and externally?ensuring both the continuity of business processes and good data governance.”