Company data is a valuable asset – is yours being stolen?

SMBs need better understanding of the risks of data leakage and what can be done to prevent it

Tags: Cyber crimeData Leakage PreventionDeviceLock Inc (
  • E-Mail
Company data is a valuable asset – is yours being stolen? Regional SMBs are not aware of the risks, or the costs, of data leakage, says Lesnykh.
By  Alexei Lesnykh Published  July 26, 2010

Are you running a small or medium- size business? If you are, the challenges you face everyday are how to maximize business performance and manage your costs.

Bet you didn't realize that you could be losing one of your most priceless assets, costing you a fortune every year whilst you focus on other areas - your company's information.

DLP which stands for Data Leak Prevention is a major concern here in the Middle East region, mostly because regional small and medium businesses are still not completely aware of the risks caused by data leakage or the heavy costs to those businesses. Negligence is one of the main reasons why data leaks happen.

In practical figures, alone corporate data loss can cost companies between 20 and 25% of their overall revenue because data leak prevention solutions and security policies are not properly set.

Worldwide IT spending is forecast to reach $3.4 trillion in 2010, a 5.3% increase from IT spending of $3.2 trillion in 2009, according to Gartner, Inc. The IT industry will continue to show steady growth with IT spending in 2011 projected to surpass $3.5 trillion, a 4.2% increase from 2010. (Gartner, 2010) This means that companies are investing more and more in IT. At the same time, the employees of these same companies are also investing more in IT on a private level.

They all own the simple USB flash drive to share and archive documents, many of them have an iPod to listen to their favourite music on their way to the office and, finally, almost all have a smartphone either an iPhone or a BlackBerry; and in all these cases, the data transfer to such personal memory-bearing devices from the company computer is extremely easy.

Companies need to be more up to speed with the growing interest in technology from their employees and take safety precautions. Without DLP policies in place for endpoints in corporate IT networks, data leaks are bound to happen. Within a company's IT infrastructure, USB drives and flash memory cards are a major threat of this kind as are network communications from employee's computers.

Now, apart from numbers, it is essential to understand that data leak prevention is a key issue especially in small and medium size businesses as the data of your company is an important facilitating attribute of any business. A big company has its business set by its name and reputation as well as the information it owns; but a small company fights everyday in the market to compete and succeed, and one of its strongest weapons is its data.

Your data is your businesses core identity, your data and all the information you use at work makes you who you are; it is your business Identity Card. It is unique and it differentiates your company from anyone else's in the market!

This may sound just like a mere metaphor but eventually data is who you are at your work and what you represent in your business, whoever abuses or steals your business data is actually stealing a key part of you!

With Data Loss Prevention solutions, IT security administrators are able to profile the role of each employee in the company, group or department regarding their endpoint data transfer and peripheral device access, keeping each of them to the minimal set of operations required for their role. This reduces overall the risk of data leaks and helps organizations to better comply with applicable IT security regulations and industry standards.

IT managers or dedicated information security officers should at first design the corporate data protection policy as an integral part of the entire corporate information security policy. The scope of the data protection policy should be defined based on applicable government regulations, industry information security standards (e.g. HIPAA, Basel II, etc.), as well as take into account organization-specific risks related to its business field and industry - for instance, unusually high value of corporate Intellectual Property (IP) assets. When the business-level data protection policy has been developed and approved by the organization's executive management, it should be then interpreted (in other words, translated) into a corporate-wide data leak prevention (DLP) policy.

Content specifications in this policy should define ‘what' kind of information this policy protects, for example, intellectual property (IP), Personally Identifiable Information (PII), corporate confidential information, or customer data. At the same time business-level context parameters and conditions in the policy should specify ‘who', ‘where from', ‘where to', and ‘when' is allowed or denied to transfer the specified information, or any data in general. Only when the corporate DLP policy has been designed, can it be mapped ‘down' to the specifics of the endpoint computing environment of the organization to form the endpoint-level DLP policies including access privileges, content filtering rules, as well as the rules of personal device use.

The next step would be deploying the DLP solution and turning its policies to monitoring mode. The aim of this project phase is two-fold: at first, it facilitates the refinement of the baseline data protection policies for all endpoint computers and their users. The second goal is to identify the most malicious users of the corporate network during this first DLP deployment phase. In this way, companies are able to not only identify those employees that seriously and regularly violated established corporate data protection policies but - in some cases - fire them for breaching information security related clauses of employment agreements, or take them to the court.

When the baseline DLP polices have been fine-tuned, IT managers can switch DLP agents from ‘monitoring only' to enforcement mode while at the same time logging peripheral device access related user actions, as well as their data transfer operations from and to endpoint computers. At this very moment, forensic investigations into the most serious data leaks should become a routine part of the IT security department operations.

The company should defend all of its property including corporate endpoint computers used by its staff whether in the office or at home.

Protecting your data is protecting your business reputation. For sure, you put so much effort to set yourself apart in the market and you want to guarantee that your reputation won't ever get compromised; so Data Loss Prevention solutions help you not only to take action against data leaks but also to protect your business identity and avoid it being compromised saving on an enormous and potentially damaging cost. Doesn't that sound sensible?

Alexei Lesnykh is Business Developer Manager for DeviceLock.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code