The central theme of any cybersecurity program or team is to protect the “crown jewels” of an organization of institution. Now, the crown jewels in the Information Technology estate is the “data” we’re trying to protect. With regulations like GDPR gaining super prominence in the last 3-4 years, protection of data. The crown jewels may be different for different industry.
Here are a few examples of crown jewels:
- Customer PII (Personally Identifiable Information) – all organizations
- Financial data – banks & financial sector
- Payment Card transactions – e-commerce
- Medical Records – healthcare industry
- Intellectual Property Rights & Design information – manufacturing sector
Data Leakage Prevention (DLP) programs are essential for all organizations of today to either prevent data being leaked outside the organization or confidential data being shared to the wrong groups within the same organization. For example, in Investment Banks, investment bankers in possession of material, non-public information concerning a publicly-traded company are strictly prohibited from discussing any such information with individuals who do not have a need to know such information for the purpose of servicing the client that provided the information to the bank.
Data Leakage Prevention does not involve only data in digital form. Loss of data on hard copies & old-fashioned files to a theft is also data leakage. However, from the cybersecurity angle, this blog will focus only on digital data.
Here are some basics to build a robust DLP Program:
Build a proper Data Inventory
As we all know, we cannot protect what we don’t know. Which means, we can only protect what we have in our Data Inventory. Hence, the first & foremost task in a DLP program is to build the data inventory. To do this, an exercise to “discover data” should be conducted. Usually, getting an external consultant (eg. One of the Big 4 companies) to do the data discovery would be more efficient.
Classify & Prioritize Data
In a home, we have things made of various metals. A stainless-steel vessel which is used for cooking can be washed and left to dry on the kitchen counter. However, a jewel made of gold cannot be left outside like that. The reason being, although they both are metals, one metal is more expensive than the other. Similarly, in an organization, it’s important to prioritize the data based on the “criticality”. Data which is absolutely important for the business & income of an organization will get higher criticality than data which may be used only for informational purposes.
So, that brings us to the important topic of “Data Classification”. Generally, data is classified as follows in most organizations:
- Public – anything available on the Internet is “public” data
- Internal – data which is communicated as announcements to employees, policies, procedures, processes, etc. are “internal” data
- Confidential – customer data, financial (including company revenue) data, network architecture, project documents, company sales & marketing strategies, etc.
- Secret – the crown jewels described above
Understand your business transactions & data movements
Based on your industry and business models, an organization’s data will be moving & will be processed in various ways. The DLP architecture team should take this into consideration. A few more questions to have crystal clear answers are:
- Is data in rest, motion and process encrypted?
- Do your databases use native encryption or 3rd party encryption?
- Is Network Segmentation implemented?
- What’s your “attack vector”? Which means, do you have a complete inventory of your Internet facing assets?
- Do you have an accurate information of your data entry & exit points?
- Do you have proper controls for “Shadow IT”?
Don’t forget data residing in the cloud
In today’s day & age, the presence of an organization’s data in the cloud is inevitable. To compliment your DLP program which usually targets the endpoints in an organization, a Cloud Access Security Broker (CASB) program should be implemented in parallel or in collaboration. This will ensure that the data residing in the cloud for whatever business reasons is also protected from leakage.
Launch the DLP Implementation
Project – however, in phases
DLP programs may sometimes take years to be implemented depending on how huge an organization is geographically and in terms of headcount. Hence, it’s prudent to implement the project in multiple phases. This will ensure a more efficient implementation in terms of budget & schedule.
Phase 1 – RFP & Purchase of the DLP & CASB tools
Phase 2 – Build the DLP Program Team
Phase 3 – Build the DLP strategy based on the points above
Phase 4 – Implementation across the endpoints in the organization
Phase 5 – Build a Disciplinary Action Matrix in partnership with Human Resources
Phase 6 – Employee Awareness & Campaigns
Build the DLP Program Team
DLP teams should include the following personnel:
- Program Manager
- DLP Architect(s)
- DLP Forensic Investigators
- Level 1 (L1) analysts to catch & dispatch DLP alerts & eliminate false positives
DLP Disciplinary Actions Matrix
In an organization, it’s important to frame the rules & the disciplinary action matrix for DLP violations. It’s called a matrix because of the different inputs that should be considered before classifying DLP Incident and the actions to be taken on offenders. Here are some inputs to be considered:
- Criticality of the data leaked
- Intention of the employee that leaked the data
- Is it a repeat offense?
Disciplinary action can be from a written warning by HR to impact on salary raises or bonus percentages to termination depending on the criticality of the data leaked & the priority of the Incident based on the above factors.
Employee Awareness on DLP
We all know that in cybersecurity the weakest link is people. Hence, employee awareness about DLP is of paramount importance. Here are some ideas to be implemented:
- Include cybersecurity awareness in the new employee induction program, which should include a section on DLP
- Include a prominent section in the annual cybersecurity online mandatory training for all staff
- During the cybersecurity month (usually October) plan roadshows, floor campaigns, etc. targeting DLP
- Put up posters explaining DLP in key areas of the office
This blog lists down some practical ideas that I’ve either implemented or learnt in my CISO roles in the past 6 years. This is not an exhaustive list & I’m always open to all feedback. Please leave your valuable comments below.
Patrick Pitchappa graduated as an Electronics & Communication engineer in 1995. After 2 years in electronics he moved into Information Technology (IT) in 1997.Patrick began his IT career as a Systems and Networks engineer, with 24 years of experience since then covering all aspects of IT Infrastructure & Security. He currently works for the Middle-East based Alshaya Group, a world-leading retail franchise operator, as Director of Information Security & Risk with responsibilities across all Alshaya’s operating markets.
Patrick previously worked for 18 years with four banking & financial services giants: BNP Paribas, Société Générale, Goldman Sachs and Visa. Married with three kids, Patrick is an avid sports lover with 18 marathons already under his belt.Married with three kids, Patrick is an avid sports lover with 18 marathons already under his belt.