Thanks to the rising popularity of remote work, businesses change the ways they collaborate. This evolution includes new file access options, more versatile communication, extra entry points such as smartphones, or even wearables. Usually, enterprise resource planning software helps to cope with new challenges. But sometimes it fails due to cybersecurity threats, namely data leaks.
This brief yet extensive guide helps companies in planning the working data leak prevention strategy and preventing breaches. Without further ado, let’s start!
Understanding Data Leakage
In a nutshell, a data leak is the result of any unauthorized transfer of certain internal information. The modern understanding provides for the transmission of business data from the company to external recipients. Leaks can be electronic or physical, they occur via emails or web systems, mobile, hardware devices, etc.
There are three main types of data leakage, classified by the target:
- Active storage (in use). The examples are clipboards of various devices like printers, as well as removable storages such as USB drives.
- Inactive storage (at rest). This point includes classic long-term databases, file-sharing systems, desktop/laptop memories, hard drives.
- Transfer channel (in motion). Finally, data can move between devices. Malicious actors get it from web traffic, emails, chats.
Needless to say that data leakage is a significant threat. Information is Beautiful has a great visualization of the biggest breaches. Facebook leads the game as it disclosed 420 million user records in September 2019. Consequences of this and smaller leaks include revenue decline, regulatory penalties, and reputational loss, most importantly.
While attacks may be devastating for companies, it’s possible to stop them. In the next section, we will show how to start your data leak prevention campaign and take the necessary actions.
Data Leak Prevention (DLP) Best Practices
Respectively, data leak prevention is a set of strategies and tools that prevent critical info from unauthorized access. Particularly, DLP identifies data sensitivity, data flow, potential risks, violations of policies like internal rules, HIPAA, GDPR, and others. The strategy combined with the tailored software enables constant monitoring and reporting. Of course, DLP also integrates protective measures to stop accidental or malicious data access/sharing.
Five core principles shape the essence of data leak prevention:
- Classify – set priority protection levels for data based on its importance.
- Observe – monitor the enterprise data streams and potential weak points.
- Track – remember data movement, accesses, leaks, their features.
- Alert – send regular and emergency notifications about data protection.
- Block – integrate verifications, identity control, approvals, and access denials.
Apart from the mentioned classification of breaches by the source, they divide by the purpose. Leaks may be accidental or intentional. And enterprises should know how to prevent issues of both types. Let’s look at the best security practices.
Protect from Accidental Leaks
Often, data disclosure issues are the result of unintentional actions of employees. A salesperson can accidentally send sensitive internal files to a client instead of a manager. An engineer may download the code and store it on his unprotected personal USB drive. The cases are different, but they still can lead to significant losses.
That’s why we suggest the next best prevention practices:
- Apply the principle of least privilege (PoLP). It’s barely possible to leak information if you don’t have access to it. PoLP or Zero-trust policies make sure that employees can work with the minimum data required for their direct tasks only. It’s strict but may be vital, so analyze advantages and drawbacks carefully.
- Decide on the bring your own device (BYOD) policy. Some businesses allow workers to get own smartphones, laptops, and other gadgets. Others prohibit it, reducing the potential accidental leaks. If you want to allow BYOD, be sure to define clear rules and restrictions to minimize risks.
- Set alerts and restrictions on file sharing, emails. Different file systems and email clients like Google Drive support groups. You can add people from your company or department to such a group and set access rights or even prohibit sharing outside the company. Also, the majority of solutions have in-built pop-up alerts for sharing.
- Train and educate employees regularly. Last but not least, make sure that all team members realize the importance of security and Internet hygiene. Unveil risks, potential impact of leaks, general and novel tactics of intruders. It’s a good idea to have regular training that shows how to protect from leakage.
Protect from Intentional Leaks
While accidental breaches occur often, intentional attacks may be even more disruptive. Typically, a malicious actor knows the target, the way to reach it, and the weak points of your security system. New tools and methods emerge all the time, so it’s crucial to upgrade preventive/protective measures.
As for basic DLP approaches for this category, they are as follows:
- Encrypt data, but don’t forget to hide the keys. Encryption is a standard in almost any industry that works with sensitive data. Put simply, it allows you to turn info into unreadable symbols. Only owners of unique digital keys can decrypt it back. Obviously, you shouldn’t keep these keys on public servers as Equifax
- Install cybersecurity tools. Yes, traditional antiviruses and firewalls can’t stop a well-prepared attacker. But they work great when it comes to primitive leak attempts. It’s the first layer of protection that any company must deploy to safeguard its networks. Of course, these tools should be on each endpoint: desktop, mobile, email client.
- Keep critical data on the most protected devices. Sometimes, businesses don’t pay attention to copies and backups. Many identical files are on dozens of drives. That’s insecure. Move through your sensitive information, delete it from non-essential endpoints, and keep the central repository highly protected.
- Launch IDS and IPS solutions, test them. Intrusion detection and prevention software is your top choice. These applications can help to spot the data leak attempt early enough to strike back. But be sure to run penetration tests that reveal weak links in your detection/prevention systems.
To realize how essential DLP practices are for the new community, check two numbers. In 2019, Thales, citing IDC, said that 97% of the survey respondents were using sensitive data with their digital technologies. But only 30% of them had these environments encrypted!
In the times of omnipresent digital transformation, online data leaks remain extremely dangerous for enterprises. From unintentional employee mistakes to nation-wide industrial espionage, there are numerous ways to harm your business. It’s much more cost-effective to invest in data leak prevention than to deal with post-breach consequences.