In 2009, back when I was the Chief Information Security Officer for Gala Coral Group, I wrote that one of the hot topics for many Chief Information Security Officers was reducing the potential for Data Loss.
Today we are in 2012 and over the last four years no t much has changed.
For many information security officers and IT directors, suppliers have moved on from point solutions moving to address Data Loss Prevention after the realisation that to achieve the panacea of loss prevention is often too costly and damaging to productivity.
From the products I originally tested, I can say that they do what they say on the packaging, but it remains that in this economic climate, when boards are mandating decrease d budgets and businesses drive for lower operational costs, information security officers are constantly seeking other cheaper ways of achieving a similar result without large capital.
Good increases in data management can be achieved through a good information security awareness programme. A good awareness programme can make significant strides to decrease accidental loss of data, which is by far the most common cause of data breaches, and then use technical solutions to assist and complement the work of the awareness programme. Awareness programmes take time to set up and need buy-in from the very top of the business. Key executives are usually happy and eager to help; they see both the security benefits and the benefits of lower operating costs.
For example, the use of portable media has caused many businesses a large headache and has lead to a number of high-profile data breaches. By educating your staff on the virtues of good data management around portable devices and ensuring a good understanding of classification labels and how to protect data within certain classifications, staff have shown they are capable of adequately protecting data a nd correctly using portable media devices.
This is not to say that you should not complement the training by issuing only encrypted portable devices and controlling data written to non-encrypted devices. In taking this step you reinforce the training and show the workforce that you are taking the matter seriously.
By viewing technology as an assistant to good information security practices rather than the primary enabler to information security you a re better placed to view the options open to the business, taking a broader spectrum view of your business practices allows you to better understand where information security gains can be achieved easily and where gains will take longer to realise.
An excellent area within the realm of information security where the people element returns excellent gains is in penetration testing. By engaging different business unit members in internal penetration testing it is possible to identify where processes are not working and could lead to potential security issues. Using this method of penetration testing in conjunction with traditional external testing you get a fuller and more rounded view of your overall security stance. This will help in identifying the many egress routes that data could potentially take out of the business.
A good security awareness programme will not safeguard against those rouge employees that want to take the data with them, however. This is where there is no replacement for the technical counter-measure. But with an awareness programme in place, employees will be aware of what will happen if they are found to have taken data and the HR department will have an easier time of dealing with these employees if you can prove they are fully aware of the policies and have taken part in the awareness training.