Define, educate, prevent: Avoiding data loss is easier than you may think

Most organizations believe they aren't in danger of losing data, but as recent news demonstrates, the threat is real and no organization is immune.

In a recent CDW report on threat prevention, data loss emerged as the No. 1 cybersecurity challenge faced by medium and large businesses. Fully 37 per cent of IT security decision makers surveyed for the report cited data loss as "the next big security threat" their organizations face, naming it a bigger threat than viruses, worms, malicious attacks and botnets.

SECURITY THREAT: Too many data loss prevention tools become shelfware, says analyst

Just envisioning the potential consequences of data loss is enough to keep executives up at night. Data loss of any kind can damage an organization in countless ways. From a simple hard-cost standpoint (forensics, notification, credit protection, etc.), data loss is expensive, costing an estimated average of $200 per record breached, or an average of $6.8 million per total breach, according to a recent Ponemon Institute survey.

The true cost, however, is much harder to measure when considering factors such as lost competitive advantage, loss of revenue, litigation and company reputation.

The first step to prevent data loss is to accept that data loss is a real problem. Truly solving the problem can be boiled down to three simple concepts: define/baseline, educate and enforce.

Define data and create a baseline

This is not the typical, monstrously large (and perpetually doomed-to-failure) information classification project that so many IT organizations have undertaken and then abandoned. The key to success is to draw a distinction between confidential information (e.g. Social Security numbers) and confidential documents (such as a file containing Social Security numbers).

In today's IT world, nearly everyone is an information worker. In the course of business, people make copies of files, create reports, post them to SharePoint sites, etc. Trying to categorize information at the document level is typically prohibitively difficult because these documents are rapidly moving targets.

That said, the definition of "confidential" is usually straightforward. The simple data points that allow for fraudulent monetization of data (first and last name, address, Social Security number, credit card number, driver's license number, banking information, etc.), as well as data protected by regulation (e.g. HIPAA), are the minimum any organization should protect.

But every organization also has business critical data. Examples include the trading algorithm that was almost stolen from a well-known investment banking firm, the next quarter's sales pipeline for a reseller, pre-product-launch research data for a biomed firm or the source-code for a product at a software company.

Your next step should be to define what "business critical confidential" means to your organization. In the simplest terms, that definition should be measured against three standards:

➢ Would the loss of this information materially affect revenue and profitability?

➢ Would your organization's leadership want to be informed of a leak?

➢ Would your organization's leadership take action if informed of a leak?

In some ways, these are three separate questions driving to the same concept, but in a practical sense, applying all three questions enables organizations to cut through noise and churn, to focus on the true heart of "business critical confidential."

Once this definition is established, the second step is to measure the business against that definition, to gain clarity regarding the real risks. The areas of greatest concern do not necessarily overlap the areas of greatest exposure. In many cases, the single greatest exposure existing in an organization can be easily remedied by altering a single business process. The areas of greater concern are the ones that are harder to control.

Educate your organization and address problems

"Information security policy" -- have the shivers yet? A tremendous amount of research and effort goes into crafting an organization's information security policy. There are legal and liability reasons for much of what a typical information security policy covers. Unfortunately, in a practical sense, dozens (or hundreds) of pages covering a large amount of ground do not assist the typical information worker in making daily judgment calls on how to use and store confidential information.

Once the definition of "confidential" is determined and the use of confidential information has been measured, the next step is to use that insight to author a practical and concise policy. Your goal should be to keep the policy under a half-page in length, and to use it to define, in stereotypical "30 second elevator conversation," what data is confidential, and how it should be used.

Following the creation of that policy, three actions should be taken:

➢ Resolve process issues that violate the policy and cause ongoing incidents.

➢ Educate users on the policy.

➢ Provide ongoing, real-time notification to users.

As early adopters in the industry take on data loss prevention projects, there are many indications that clear, concise communication, coupled with education, can reduce data loss incidents by more than 90 per cent.

Prevent data loss from occurring

If process change, user education and real-time notification can reduce risk by 90 per cent, technological enforcement can narrow the remaining 10 per cent. The real key, however, is to make security an ongoing priority. Invest wisely and consistently in security technology that is tailored to manage the specific risks your organization is likely to face.

One way to do this is to dedicate an internal or external resource to monitor and manage security issues, making sure that this resource reports to the appropriate stakeholders. This strategy allows you to monitor security risks in real time, keeping the organization informed and involved in the security of your data.

Data loss is a threat that will continue to weigh heavily on the minds of IT executives everywhere, but there are tested and proven ways to safeguard your organization. By defining your data, educating your staff and taking proactive measures to prevent data loss, you will be able to dramatically mitigate your risk of falling victim to this common security threat.

Read more about pc in Network World's PC section.

Join the PC World newsletter!

Error: Please check your email address.

Tags smbsecuritydata breachCDWdata lossSMB Networking

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?