Data laws get tougher

In light of news that the information commissioner is to be given new powers to fine companies who deliberately or recklessly lose confidential personal information, organisations need to adopt a fully layered DLP solution. It's time to wake up and smell the legislation.

The current criminal justice and immigration bill states that the Information Commissioner now has the power to levy fines on those who recklessly lose confidential or personal information. The level of fines, which is still to be decided, could run to millions of pounds. At a time of economic woe, it’s a shame that the government has had to enforce (or threaten) legislation and large fines, but perhaps the move is necessary to get the attention it deserves.

What's more, organisations trading on a global scale will also need to implement the best policies for worldwide customers and suppliers – bringing UK legislation and ruling in line with the best in the world simply accelerates this process. With heightened awareness of the value and vulnerability of personal and financial information collected by businesses and governments, more states in the U.S are now enforcing legislation to require consumer notification when there are security breaches involving such information. In 2006, 35 states and the District of Columbia introduced legislation addressing security breach notification. Indeed the acts in the USA that demand customer be told is the right way to go.

All this is proving to be a real headache for organisations that operate globally as they not only have to comply with requirements from other countries but also ensure that they meet European Union Law. The current EuroSOX Institute mandate states that companies operating within the European Union have to comply with the confidentiality of information and therefore the prevention of leakage.

It therefore makes sense for organisations to adopt a layered data leak protection (DLP) strategy that complies with differing legislation laws and monitors encrypted traffic. With an integrated data leak prevention solution, enterprises can both monitor network activity, data usage and prevent users from transmitting or copying data in violation of the Current Criminal Justice and Immigration Act that was brought into place in May this year.

It is critical that UK businesses are aware of this so that they can deploy a DLP solution that is content-aware as well as granular enough to deploy different policies for different legislation on the information it contains and how, when and where that information can be used.

Current approaches to DLP

The good news is that most organisations are waking up to the fact that they need to implement DLP capabilities. An Osterman Research survey that was conducted in April last year found that 53% of mid-sized and large organisations will very likely or definitely invest in DLP capabilities through the first quarter of 2009. Furthermore, the same survey found that 68% of organisations plan to have some form of DLP capability in place by the end of 2009. 

Despite these plans, and even using a fairly broad interpretation of data loss prevention (DLP) capabilities, which would include products that don’t provide true DLP functionality, only 49% of organisations have so far deployed these capabilities. This suggests that organisations are well aware of the need to monitor their inbound communications for spam and malware. This, despite the fact that 27% of organisations in the same survey reported that during the previous 12 months data or information was accidentally or maliciously leaked from their organisation.

The fact that companies have not yet deployed effective DLP systems cannot be explained by the fact that many decision makers are not aware of the potential risks they face. The fact is they probably don’t even know it has happened. Another survey carried out by emedia earlier last year revealed that 94% of companies admitted to being powerless to prevent confidential or sensitive information being sent outside of the organisation. 32% said they were blissfully unaware that a leak had taken place.

All of this points to a worrying new trend for IT management, particularly in the light of the growing body of legislative and compliance directives emerging in the wake of the spate of security gaffes by government bodies reported over the last twelve months.

Many employees will often accidentally send confidential data in an email – such as credit card numbers, social security numbers or other confidential information – without realising that the data needs to be encrypted during transmission to comply with legislation.

In addition, the rise of Web 2.0 applications represents further worries for potential for data loss. MySpace, Facebook are all open to hidden malware installed on endpoints that has harvested personal information like credit card numbers quietly uploading this content via HTTP/HTTPS.

So what should organisations do?

In the wake of the recent change to the criminal justice and immigration bill, one of the first steps an organisation should take is to monitor all avenues through which employees may communicate. This includes email, instant messaging systems, wikis, blogs, personal Webmail accounts, USB devices, message boards and other tools.

The appropriate policies should be established and systems should be deployed so that a company’s risk can be mitigated as much as possible. The second action that decision makers may want to take to solve the data breach problem is to audit the current state of file management within the organisation. Doing so will reveal the extent of the risks that an organisation faces and will help to make real the problem to IT management, as well as senior line-of-business decision makers.

In many cases, this will help an organisation to realise that the risks and problems it faces are not merely a potential, theoretical problem, but are instead a real and present business danger that it must address. While this is not always a necessary step given the abundance of evidence that exists for the data breach problem, it may be required by some organisations in order to convince senior managers of the extent of their own company’s problems.

What about outbound communication?

Based on the suspected level of data breach, organisations that deploy systems that monitor outbound communication should take the appropriate action. For example, an employees’ instant message that contains what looks like a Social Security number may warrant nothing more than a popup window on the sender’s display that reminds them of a corporate policy against sending this information through an instant messaging client. On the other hand, an email that contains an attachment with proprietary information sent through an employee’s personal Webmail account may warrant immediate redirection of the message to a compliance officer or supervisor for further review before the message is sent.

In short, suspected data breaches should trigger only the appropriate actions of discarding messages, quarantining them for further review, copying them to a supervisor, requiring encryption, archiving them, etc.

Incident management is a key component of any system, since each suspected data breach should be handled with the right level of enforcement. For example, in a large organisation it would be impractical to route every suspect email to a compliance officer or supervisor for review.

How does a company perform the appropriate level of inspection?

Based on corporate policies, the role of the employee in the organisation and other factors, content should be inspected based on the appropriate policies. For example, certain employees may require different levels of outbound content inspection and data retention than others – a broker/dealer’s email to a client may trigger a different set of policies compared to a clerical staff member’s email to the same client.

Certain recipients of an email may trigger different policies based on the company’s history with those recipients. A CEO’s email to an external auditor should trigger different inspection and retention requirements than those triggered by a marketing staff member’s email.

It is important to expend the appropriate level of computing resources necessary to satisfy corporate and other policies in order to maximise the performance of electronic communication and management systems. For example, performing very deep content inspection on every message that flows through the corporate network is simply not necessary in many cases. However, inspecting content flowing through key threat vectors, such as removable storage or encrypted Webmail channels, is critical.

And finally, what about DLP for SSL? It is critical that businesses move towards SSL-encrypted traffic on their network for greater security and data protection. The good news is this appears to be the case. In 2007, the Enterprise Strategy Group estimated that SSL-encrypted application deployments had increased by 50 to 55 percent. Despite this, more SSL traffic on the network inhibits the effectiveness of a data loss prevention solution.

Because of all this, organisations need a layered data leak protection (DLP) strategy that can monitor not just email and IM traffic, but also the encrypted traffic that is increasingly finding its way onto the corporate network. With an integrated data leak prevention and secure web gateway solution, enterprises can both monitor network activity and data usage and prevent users from transmitting or copying data in violation of company policies.

This integrated, layered approach to preventing the leak of sensitive data provides protection for data in motion (on the networks), at rest (on servers and at endpoints) and in use (at endpoints and media).

It is clear that with the recent change in legislation and the prospect of further change in the future, an integrated data leak prevention solution is a must for enterprises so that they can both monitor network activity and data usage and prevent users from transmitting or copying data in violation of compliance and legislation.

Nigel Hawthorn is VP, EMEA of Blue Coat Systems, specialists in WAN optimisation and secure Web gateways.