With employees accessing corporate networks through all manner of devices, from personal smartphones through to tablets and laptops, traditional data loss prevention (DLP) strategies have gone out the window. But the issue isn’t solely down to the advent of the ‘bring you own device’ (BOYD) age, it’s also tied in to how people are working.
“In our private life we gladly use cloud services without even thinking of the security implications — so when we work, and specifically if we work on an uncontrolled device, we continue to utilize these services,” highlights Nicolai Solling, director of technology services, Help AG. “So in the same way as we have a next generation of security devices, you could also say that we have a next generation of users.”
The move towards using personal devices to access corporate data from anywhere at any time understandably means that organizations in the Middle East feel that their data is now less secure than it was in the past.
“Five years ago, the use of BYOD, IoT, cloud and big data was at its nascent stage and while data security was a concern then, this concern has assumed gigantic proportions today, purely because ICT adoption and the use of advanced technologies is growing in the Middle East,” notes Matt Cooke, senior product marketing manager, Sophos.
“Add to that the fact that in the first half of 2015, the Middle East was second in the list of regions with the highest records exposed. This clearly means it’s in the cross hairs of cyber attackers, who see the region as ‘low hanging fruit’ because of its lack of cyber security awareness compared to North America and Europe,” he adds.
“Sensitive corporate data is more at risk now,” continues Orange Business Services’ K. Tahsin Hersan, security practice lead, Middle East, North Africa and Turkey.
“Increasingly, employees want to collaborate with partners and customers through mobile and cloud-based applications. This increases the risk of data leakage [or] theft if the DLP solution is not adapted to new generation technologies,” he adds.
Traditional DLP systems had, at best, limited support in regards to mobile device protection, which means that companies are now having to look into upgrading or replacing DLP solutions in order to secure the growing number of vulnerable access points. And as Gartner research director Biswajeet Mahapatra highlights, this may not be a simple task.
“Mobility introduces many new permutations of old DLP problems, but makes solutions harder to design due to increased complexities of data movement, patchy functional capabilities in platforms and APIs, outmoded DLP boundary thinking and the extreme sensitivity by users to any action that interferes with their desired usability.”
Today there are a wide range of DLP solutions on the market, but security strategies are more than simply installing a product — CIOs need to look at the bigger picture.
“It is not as simple as deploying a solution,” says Megha Kumar, IDC senior research manager, software. “Companies need to put in place the right access controls. Who can access what, and what data is critical needs to be defined – you cannot protect everything.”
“The DLP product is not a panacea, to be able to say that the data is protected – it should be combined with policies, end user education and it must be fine-tuned for the specific business processes and information types,” adds Artem Serebrov, head of targeted attacks detection solutions, Kaspersky Lab.
Mahapatra highlights that CIOs should bring in management staff from across the business at an early stage of strategy development.
“CIOs should work with business unit leaders to develop a data security governance strategy in their organization, closely tied to organizational objectives and risks before evaluating DLP solutions.”
Solling goes on to note that CIOs should build their DLP strategy around the following three elements.
“Start with risk assessment, which will then enable proper data discovery and classification. With this knowledge, the next step of formulating the right policies and processes can begin. Even the latest and greatest DLP solution must be properly configured to the specific needs of your organization.
“This solution, as well as the policies, must be verified to ensure that they are compliant with the necessary regulatory and compliance frameworks. Remediation should also be prioritized as even the best DLP strategy is not 100% guaranteed. Finally, the ‘people’ aspect needs to be addressed through training and awareness campaigns for all employees on a regular basis.”
End user education is a very important part of any DLP strategy and it must be given time and thought in order to get right, as Gregg Petersen, regional director, Middle East and SAARC, Veeam Software highlights.
“End user education is a challenge in that it has to be a simple and effective solution. The always-on era demands that technologies be usable within the realm of control from the data center. If the process is too complicated, users will find another way,” he continues.
A question often asked is whether higher priority should be given to safeguarding data stored on senior employees devices. However, it’s worth remembering that most confidential data will be found elsewhere in the business.
“These days data is constantly being moved, shared and accessed by more than one party on a variety of different devices,” says Sébastien Pavie, identity and data protection director, MEA, Gemalto. “In addition to this, data is no longer contained within the network of an organization, it is now also found in virtualized environments, as well as the cloud.”
“Seniority is not a relevant criterion in deciding on risk levels,” continues Hershan. “Data leaks may even happen without the knowledge of an employee, due to malware. What is more important is to properly classify sensitive data in a consistent manner, and define and apply corporate policies regarding the storage and sharing of each data class.
“Corporate policies should include processes, roles and responsibilities regarding who can access and share each class of documents, whether this is with internal or external entities. This policy can only be successfully created and implemented through careful planning and coordination with line-of-business heads, documenting each business process and identifying the relevant sensitive data and classifications.”
Finally, there’s also the challenge of finding that ‘happy medium’ of providing effective DLP without hindering employees’ productivity. Preventing access to devices using end point DLP can hinder staff as well as cause frustration – which may also lead to employees trying to find ways of circumventing DLP altogether, so the trick is in balance and constant adaption.
“The main task for any IT security department is to keep the business safe, but not interrupted. This means that all protection products, policies and restrictions must reflect the current business processes. So, coordination with HR, business heads and process managers is really important for DLP strategy,” explains Serebrov.
“[The happy medium] comes with responsibility,” adds Cooke. “Empower the employees with the tools and resources they need to work effectively and educate them so they can do so securely and with confidence. Every security control has a reason for existence, share that knowledge and the responsibility for security and data protection with all of your employees.”
