DLP - it's all about context...

By Dr. Guy Bunker @guybunker

Data Loss Prevention (DLP)

I was fortunate to be asked to go on the BBC to comment on the security issues surrounding the lapse in security at the Bank of England where an email was sent to the wrong person. In this case it was someone at a newspaper – and so the story went mainstream.

Have you ever sent an email to the wrong person by mistake? Or, have you received one from someone, wondered why they had sent it to you, followed by a ‘sorry, please delete’. I’m sure the answer is yes, but the consequences were unlikely to have been a story on the BBC!

When it comes to Data Loss Prevention (DLP), it is not just about content, is also about context. In this case the content was about a project with a codename of “Bookend” but the context was the critical component. It was an internal project and not for external consumption. Today’s next generation of DLP solutions adapt their actions to take into account both the content AND the context.

Discovering project codenames in email, or in documents is relatively simple to do with an Adaptive DLP solution – and in this case taking into account the context of being for internal use only or blocking the email, again, is not that difficult. However there is a one other key part of the puzzle and this was my point in the interview – if the IT department doesn’t know what is important to the business, then how can they detect and block it? Alignment between the business and IT is important if security around critical information is to be effective.

In this case, an understanding of critical projects and their codenames would have enabled the IT department to deploy an Adaptive DLP policy and have stopped the email being sent to the wrong person.

Sending an email to the wrong person has made the news before, when a XXX was sent to a radio station, similarly for the Bank of England this breach is unwelcomed as it will damage their reputation. As with the Sony breach, this is a game changer when it comes to data loss incidents. The information had very little, if any, intrinsic value – it was not credit card information or individuals bank details, it wasn’t healthcare information, it was however critical information. Damage to reputation is difficult to put a value on but the impact can last for years.

IT security needs to be done in the context of the business. It’s not a one-off, but rather needs to be a continuous process to ensure that all critical information is protected at all times.