The Information Commissioner’s Office (ICO) has issued its first fine for data breaches by email this year, to a Council that sent sensitive personal information to the wrong recipients. Following two previous breaches, the Council in question was fined £120,000 for failing to implement measures to avoid further data breaches, despite two previous warnings.
Corporate email is one of the largest risks of accidental data loss, and due to the sheer volume of emails sent by organisations on a daily basis, accidental data losses are almost inevitable. Common mistakes include inserting the wrong email address, attaching the wrong file and sending emails that contain sensitive and restricted data to the wrong recipient.
Any member of an organisation has the potential to cause a data breach, and can do so at any time, in just a matter of seconds. Employees often fail to realise what they have done until it’s too late, by which time the damage is done - resulting in a tarnished reputation that can lead to a loss of customers or, as happened here, a large fine.
But how do you prevent these losses from happening - especially as it’s so easy to accidentally send an email to the wrong address?
Boiling the ocean
Traditional Data Loss Prevention (DLP) solutions have tried to address the email issue, but with limited success. They usually take a long time to start working with any real effect, as intensive tailoring and ‘training’ is needed to help the solution in classifying data and files that are unique to each organisation. Also, emails which the system identifies as a potential data breach risk are usually flagged to the IT department, which then has to check with the email sender before either allowing or blocking the email.
Both of these factors represent a significant drain on IT staff resources. When combined with the volume of outgoing emails generated in any organisation of more than 20-30 employees, the traditional approach to DLP quickly becomes unworkable when trying to identify the one or two rogue emails. It’s the equivalent of trying to boil the ocean to find enemy submarines.
A different approach to email DLP is needed, one that doesn’t rely on the extensive ‘training’ demanded by a purely artificial intelligence-based solution, or demand constant intervention by IT staff.
Prevention is the cure
Involving individual employees in the corporate security process is the only viable approach to avoid data loss incidents. It is also the only way to turn a DLP solution into a truly preventative tool, as opposed to a reactive tool.
First, in order to increase the user awareness, an effective DLP solution will alert the user before they can send an email that may cause a loss incident.
Let’s take the scenario of an employee who has composed an email, addressed it and clicked on the ‘send’ button. The DLP solution should analyse the body of the email, complete with its attachments, and the intended recipient’s address, against a set of pre-defined characteristics to identify potentially sensitive data. This could include for example, certain key words in the email body text such as ‘financial’, ‘report’, ‘specifications’, ‘confidential’ and so on. Also, file types such as spreadsheets or presentations with financial data, confidential records or strategic material may need to be carefully scrutinised.
If the DLP solution detects a potential breach based on this analysis, it will override the ‘send’ instruction and present the user with a pop-up alert to inform them of the potential data loss and ask how they wish to proceed.
The user will have to decide whether they: a) want to send the email and its attachments as it stands; or b) realise that they have made a mistake, correct the body text or remove the suspicious attachments. There should also be the option for the user to leave a brief explanation as to why they overrode the DLP solution’s alert.
But what happens if, after seeing the pop-up alert, the employee decides to send the email anyway, resulting in data loss? The DLP solution keeps records of all of the user’s actions, of the fact that they were alerted, as well as the justification they provided, giving an audit trail for subsequent analysis. This establishes a clear chain of events when reviewing a data loss incident, which is useful for internal review and external compliance purposes.
Overall, the aim is to create a decision point for the user, encouraging them to review what they plan to send and to whom. This increases users’ responsibility and helps to correct any digressions from the company’s security policy before an incident happens.
As employees experience the DLP solution in action, they will learn more about data loss, how it typically occurs and how to avoid it. This encourages adherence to company security policies. Over time, pop-up alerts to users will decrease as users become increasingly aware of the types of activity that trigger an alert.
Also, engaging the users in the DLP process will directly benefits the organisation, by reducing the burden of day-to-day security management from IT staff. The majority of decisions about whether content can be sent or not, is taken directly by users - a sharp contrast to previous generation DLP solutions that require IT staff to check every email flagged as a potential risk. Empowering the user enables IT teams to focus on more strategic tasks, instead of getting bogged down in email approvals.
With data watchdogs becoming increasingly vigilant and forceful, it may be time for all businesses, especially those holding customer data, to consider the value of a DLP solution within their organisation. After all, with data losses, prevention is always better than a cure, and also helps to avoid hefty punishments, too.
by Terry Greer-King, UK MD for Check Point.
Check Point Software Technologies is exhibiting at Infosecurity Europe 2012, held on 24th - 26th April 2012 at Earl’s Court, London.