Do you need DLP? Well, do you feel lucky?
Welcome to the first in a series of blogs highlighting Digital Guardian’s recently released eBook, The Definitive Guide to Data Loss Prevention. This post focuses on the commonly asked question of “Do I need DLP?” and covers the driving forces behind DLP adoption.
Clint Eastwood might not have been referring to DLP with his iconic line from Dirty Harry, but he could have been. And now more than ever data protection is on the agenda in boardrooms; per a recent KPMG survey, 85% of boards view cyber-risks as a business level topic and part of their purview as opposed to a technical topic. Infosec professionals should pay heed and understand how to build the case for the need for DLP rather than rely on luck to keep data safe.
Where do you start? What are the things to look for? We typically see three common business challenges that underlie data protection projects. While some only face one, or have chosen to prioritize one, a growing number of organizations have data protection challenges that cross the boundaries of the three challenges.
- Personal Information Protection/Regulatory Compliance
- Intellectual Property Protection
- Business Partner Compliance
Let’s look at each in a bit more detail:
Personal Information Protection/Compliance: Does your organization rely upon protected or regulated data such as health records, credit card numbers, or other information that could be used to identify a specific individual? If so, then you are responsible for protecting this information, and regulatory agencies govern the details around what that means. Ultimately, compliance should be seen as the starting point to deliver data protection.
- PCI DSS has a comprehensive guide (currently at version 3.2) and there is a robust business around assisting with protecting the credit card data that was one of the early financial motives of breaches and remains a valuable target.
- Health records are in many instances more valuable that credit cards due to their longer shelf life on the black market for stolen information. HIPAA turns 20 this year and there is debate whether a ransomware infection should be considered a breach or not, given that you don't actually lose data so much as you just can’t access it.
Intellectual Property Protection: Does your organization rely on IP, trade secrets, or even state secrets to succeed? If so, there is a chance someone on the other side of the fence may be after that data. While in many cases there is no specific regulation around IP protection (patent enforcement is a different issue), keeping it safe can be the difference between sustainable competitive advantage and insolvency.
- Look at the cost of drug development as an example. A 2014 Tufts University study found that, all in, costs are in the billions to create a new drug. It is no wonder that this data is valued by unscrupulous competitors or state sponsored actors working on behalf of regions with less advanced medical science.
- Manufacturing on a global scale requires developing products in one region and then sending the recipe out to a global fulfillment network; there is a great deal of risk when you transmit the secret sauce to areas that lack legal protections around IP. Controlling this information is paramount to global manufacturing cost control and success.
Business Partner Compliance: When two (or more) organizations enter into a business agreement, there is transfer of sensitive data between them. Each has an obligation to protect this data, or risk loss of future business if not immediate financial penalties. While protecting your own information is important, protecting someone else’s is even more important if you intend to continue doing business with them.
- Similar to the global manufacturing example, now add the layer of a 3rd party manufacturer. The global brand may control the design of new products, but a network of global manufacturers are the labor pool used to produce. For this to work, the minute details must be shared outside the direct control of your organization.
Each of these three scenarios represents a data risk, but not an insurmountable challenge. Today’s data protection solutions can deliver regulatory compliance, IP protection, and partner compliance. For more on why data loss prevention should be part of your business plan download the full guide.
Read more in our Definitive Guide to DLP Series
- Do you need DLP? Well, do you feel lucky?
- The Evolution of DLP: 4 Reasons Why DLP is Back in the Limelight
- Debunking the Three Myths of DLP
- Call it a Comeback: 7 Trends Driving the Resurgence of DLP
- All Trends Lead to Data-Centric Security
- What is Driving Your Data Protection Agenda? Determining the Right Approach to DLP
- Building a Value-Based Business Case for DLP
- Positioning DLP for Executive Buy-In
- 5 Criteria for Choosing the Right Managed Security Services Provider (MSSP)
- How to Evaluate DLP Solutions: 6 Steps to Follow and 10 Questions to Ask
- Getting Successful with DLP: Two Approaches for Quick DLP Wins
- Two Frameworks for DLP Success
Bill Bradley is Director of Product Marketing at Digital Guardian.