When we think of data loss prevention (DLP), all too often our minds race ahead to technology and solutions (unless you read the earlier blog post on written material). For a large number of potential incidents (these are incidents which could have occurred, but haven’t yet), a discussion with employees is a great place to start.
When talking about DLP, the key message is “don’t shoot the messenger”. For people on the front line of dealing with intellectual property, customer details and other confidential information, information security is not top of their list. They are not (yet) specialists in the field, so what they do in their day-to-day work is what they do, nothing more or less.
Remember the good old days of creating a CD ROM with a report on it and sending it through the post as it was too big to email… and the CD being lost, and no-one minding? Well while you may think those days have gone, in reality they haven’t… sure, an incident will draw attention to poor business process, but unless you are proactive to discover what is happening, then there is an incident just waiting to happen.
How do you find these business process weaknesses? Ask – and it’s not just the managers, it’s everyone. But before you ask you need to make employees aware of what you are asking – and why… and most importantly, this is not about finding a messenger to shoot, it is about improving security. For your company information, for your customers’ information, for your partners’ information – in fact, for all information.
So, where to begin? Start with the obvious, what is the information you are interested in and how would someone recognise it? Then ask about how it is distributed and who to. Is this something that is created every week, month or quarter? Does it get written to a CD ROM, emailed or printed out? Remember, the person who carries out the task does not always understand everything that may go into the transaction. They may press ‘F3’ in the application, insert a blank CD ROM and the system writes out the information – in an encrypted form. In which case, all is well. However, understanding that that process is carried out means it can be checked and verified secure.
A simple check of ‘real’ processes – those which are carried out – can help build information security within the organisation. This can then be extended as more security awareness is created to look for improvements. For example, the report used to be too big to email (ten years ago), is it still true today – or is there a better way? People will be happy to suggest ideas for improvements – as long as they don’t think they will be ‘shot’.