FORUM: Best practices in data loss prevention
August 2017 | SPECIAL REPORT: TECHNOLOGY RISK MANAGEMENT
Financier Worldwide Magazine
August 2017 Issue
FW moderates a discussion on best practices in data loss prevention between Allen Allison at American Express Global Business Travel, Olivier Haas at Jones Day, Jonathan C. Trull at Microsoft, and Jami Mills Vibbert at Venable LLP.
FW: To what extent do companies need to be more focused on data loss prevention in today’s business world? How would you characterise the extent of challenges they face in protecting their data against leakages and theft?
Trull: Data is the lifeblood of any business and is the primary asset that security professionals have been trying to protect since computing became essential to modern enterprises. Companies across the globe are also going through different digital transformation initiatives. Digital transformation is fuelled by increased levels of productivity and the use of data to better engage with customers. Security teams are faced with significant challenges as they try to protect against data leaks and theft. These challenges include the ubiquitous use and increased volumes of data, the need of companies to share sensitive data outside of the corporate perimeter, increased sophistication of attacks, significant regulatory requirements, and the use of both corporate owned and personal devices to access corporate data, to name a few.
Haas: Data loss prevention (DLP) has become a critical issue for most businesses, as a significant part of their information assets and related value lies in data stored on intangible media, therefore it is easily subject to misappropriation, loss, corruption, theft, unauthorised access and disclosure. Businesses are facing DLP challenges on multiple fronts. Employees, who access IT systems and the business’ data, including with their own devices as BYOD practices expand, need to be informed and trained to contribute toward preventing data losses. Simultaneously, the IT systems of the business need to be connected to an ever increasing number of third parties – vendors, suppliers and customers, among others – and often resort to cloud-based IT solutions, therefore multiplying the number of interfaces to the internet and the potential number of external intrusions. Businesses, therefore, face an ever-growing scope of DLP challenges.
Vibbert: A company’s exposure in the event of a loss of data varies from being a manageable event to one that can be company-ending. Given that certain types of data loss could cause such a significant impact on a business, companies need to incorporate DLP as one aspect of a robust risk assessment and management regime. Unfortunately, the actors against which DLP techniques seek to protect companies are large, well-funded, numerous and ever-changing. However, DLP technologies and procedures can make companies much more difficult, and thus less attractive, targets. Focusing on broad cyber security risk management has the benefit of protecting companies from collateral threats following a data loss – those posed by regulators and civil litigants, ranging from class action lawsuits to card brand actions to shareholder suits.
Allison: It is not uncommon for companies to be hyper-focused on cyber espionage; after all, that is what a good hacker movie focuses on. However, what is much more common in business is data loss through seemingly non-malicious intent. Enterprise cyber security teams are increasingly focusing on the prevention of data loss as it relates to sharing confidential information with customers and partners. While the loss of data to a competitor is still a significant concern, there is equivalent risk to the business through these perceived innocuous data loss events. In a poorly maintained enterprise infrastructure, enabling data loss controls can be exceptionally challenging. An effective enterprise cyber security team must consider monitoring and preventing data loss through email, through end user devices, through disparate internet connections and via direct access to hosted environments. Obviously, the fewer points of internet access a company maintains, the easier it is to implement those data loss controls.
FW: How are regulatory developments impacting the way companies address data loss prevention? Are authorities ramping up their monitoring and enforcement efforts?
Haas: Governmental authorities and regulators have gradually become aware of how critical preventing data losses can be, be it for administrative entities, state-owned businesses or private entities. The focus on DLP includes several components, essentially composed of regulations applicable to the processing of personal data and regulations aimed at strengthening the overall level of cyber security. Simultaneously, authorities are ramping up their monitoring and enforcement efforts in order to ensure that the level of awareness and effective protection of the data is generally increased. The upcoming General Data Protection Regulation (GDPR) creates a principle of accountability of the businesses processing personal data, with a duty for both data controllers and processors to implement adequate data security measures. The GDPR also extends, to all data controllers, the obligation to notify personal data breaches. On the cyber security front, the operators of critical infrastructure or essential services will have to protect their critical IT systems and report to authorities in the event of a cyber security incident, in order to foster coordinated responses if need be.
Vibbert: Likely as a result of consumer pressure and the high-profile nature of data breaches, regulators have continued at a quickening pace to establish their authority over cyber security. New legislation has been passed granting new or expanded authority, while regulators who have already claimed such authority have increased enforcement efforts in both the traditional data security actions and in new areas. Such oversight of cyber security generally impacts the amount of attention cyber security receives from organisational leadership. Given that many regulators are focused on the exposure of information being the worst offence, protecting against data loss may protect a company from regulatory scrutiny. Unfortunately, this does not always translate to a thorough cyber security risk management shift in the company due to lack of expertise, an attempt to ensure regulatory compliance instead of focusing on good cyber security measures, or a lack of resources.
Allison: Over the last 10 years, there has been a significant increase in the regulations around protecting sensitive data, primarily when it comes to protecting personally identifiable information (PII). In the US, most states have implemented data privacy laws that aim to protect the information about individuals. Also, the European Union has implemented data privacy laws protecting PII, such as EU Directive 95/46/EC and the looming GDPR. While there has been a significant increase in these regulations, cyber security organisations have not typically seen an increase in monitoring and enforcement by authorities. However, in business relationships and contracts, there has been a significant increase in the audit rates of business partners on one another. For example, it would not be uncommon to be asked the following question, with multiple follow-up questions, ‘what security controls have you implemented and audit that ensure compliance with applicable laws?’
Trull: Whether it is the Health Insurance Portability and Accountability Act (HIPAA) data security standard, the Payment Card Industry Data Security Standard (PCI-DSS) or the new General Data Protection Regulation (GDPR), data protection is at the heart of most global data security regulatory standards. Most of these regulations come with penalties for non-compliance, especially when blatant disregard results in significant consumer damages. Of most significance right now is the GDPR, which is the European Commission’s regulation for strengthening and unifying the data protection for individuals within the European Union. Breaking the most important provisions of GDPR could result in fines equal to 4 percent of a company’s global revenue.
FW: How would you describe the general quality of data loss prevention practices among companies, considering threats posed by the likes of portable storage devices, file transfers, online applications and mobile devices? In your opinion, should companies mitigate such risks as an operational imperative?
Vibbert: Many companies have only begun to implement DLP technologies and practices that truly address the threats posed by portable storage devices, file transfer applications and mobile devices. DLP techniques should be used and mitigation employed in accordance with the overall risk posed by that system. This can include prohibiting the use of portable storage devices or requiring encryption prior to use of same, prohibiting and monitoring file transfers, access controls, and the use of mobile device management software that disallows downloads and file transfers from a company network via the device. Companies need to understand that cyber risk is akin to other enterprise risk and must accordingly understand the various risks to its data and systems and employ reasonable security controls based on those risks.
Trull: In my experience, very few companies are at a high maturity level for DLP. Most DLP programmes I have seen start and end with a network DLP solution with the default settings enabled. Technology alone will never be able to sufficiently protect a company’s data. Before buying or implementing any technologies, a company must first understand the different types of data it has and assign a classification to that data based on its value and the costs associated with a breach of that data. Once the data is classified, a company can then begin analysing the different technologies and processes needed to protect it. As companies modernise their operations, I am also seeing an increased need for digital rights management that extends the protection and enforcement policies on data both within and outside the corporate network. I believe companies should mitigate risks to data as an operational imperative. At the end of the day, it is typically the data that we are trying to protect and need to re-emphasise that within our security teams.
Allison: Because companies have allowed for multiple points of access, enabled business processes to accelerate business, enabled mobile devices and apps and ensured ubiquity of access to corporate systems, it has become extremely difficult to implement data loss controls in a medium to large enterprise. Because of this difficulty, and the concern of impacting business, implementing preventative data loss controls can become a political battle. Instead, many organisations are opting to implement detective controls around data loss, and opting to accept the risk associated with the loss of data. This can spell disaster akin to shutting the barn door after the horses have fled. Instead, a very low tolerance should be established when it comes to the transmission of data. Further, it is a common misunderstanding that the loss of a small number of records is much better than the loss of a large number of records; the loss of any data can be indicative of poor controls, poor education and poor security hygiene, while tarnishing the reputation of the organisation and this may potentially lead to significant costs in remediation and legal fees.
Haas: The quality of DLP practices is still very diverse. Some companies are very sophisticated, resorting to encryption, advanced user authentication systems, endpoint protection systems and other best-in-class industry practices for the monitoring of the use of the IT resources and data. But a lot of businesses still lack a global vision and approach relating to data governance and DLP. Today, the IT systems of companies need to be interconnected with third-party devices and systems. Trying to limit communications is not an option. As a result, it has become critical for businesses to mitigate, from an operational perspective, the risks of data loss entailed by the inevitable need to interconnect the systems with third parties.
FW: What advice would you give to companies in terms of establishing an appropriate data loss prevention framework that is up-to-date with current industry and regulatory thinking?
Allison: When implementing an effective DLP framework, one should follow a few steps. First, reduce the scope. If there is a separate internet presence in each office, consider consolidating to one point of presence per region. If there are multiple services that perform file transfers, consolidate them into one or very few. If users are not restricted to browsing the internet through corporate resources, consider implementing a centralised model. Second, keep it simple. An effective data loss programme will evolve over time; let that evolution happen, but do not wait to implement the programme until it is perfect. Assess the data protection laws for all your regions, and consider implementing a single policy that meets the requirements of all regulations. Create a framework that is easy to monitor and audit, and perform incident management. Third, be pragmatic with your data loss policies. If your policies have a draconian characteristic to them, users will concentrate on finding ways round the controls. Ensure that the controls meet your legal requirements, and educate your users on the need to protect data.
Haas: Our key recommendation would be twofold. First, it is critical to implement a holistic approach to data governance and DLP, based on a global view of IT systems and the data flows of businesses. On the basis of such a comprehensive view of the IT systems, it will be easier to keep pace with regulatory requirements and good industry practice. Second, it is of utmost importance to focus on the human factor. Training and awareness of employees is key to ensuring an adequate level of cyber security, as the vast majority of major data loss incidents show the importance of the human factor.
Trull: Companies need to first understand the different types of data they contain and assign that data a business value. As part of the classification process, companies should identify the data that is protected and must be controlled according to specific regulatory frameworks. Based on the information from this exercise, companies should then implement corporate policies, procedures and standards that lay out how each type of data should be handled and the controls appropriate for each. It is important that companies clearly articulate in writing how different data is to be used, shared, stored and ultimately destroyed. Employees should then be trained on these policies and procedures and be held accountable for following them. Finally, the right technologies should be implemented to protect the data over its entire lifecycle. I realise it sounds complicated, and for some businesses it is, but at the end of the day companies must identify their ‘crown jewels’ and ensure they are protected.
Vibbert: The best DLP framework is one incorporated into ongoing cyber security risk management. An effective cyber security risk management effort begins with cyber security risk assessments that evaluate the threats facing an organisation, the risks such threats pose to the organisation based on the type, location and amount of data it has, its regulatory environment and its litigation risk and the people, process and technology controls the organisation currently has in place to protect against those risks. From this evaluation, companies can prioritise the risks and create appropriate risk treatment plans. Ongoing assessments keep organisations up-to-date with industry best practices and the regulatory regime. In an ever-changing but nonetheless resource-constrained environment, this allows companies to reasonably address cyber security risk without over or under committing resources.
FW: With companies storing greater amounts of data via cloud-based services, what best practices should they deploy when relying on these third parties?
Haas: Before resorting to cloud-based services, companies should carefully vet their provider of cloud-based services, in order to ensure that the operational setup – including the location of the servers and the features in terms of data security and protection – matches the business and regulatory requirements. A service level agreement should also be carefully discussed, in order to ensure that the company’s data remains available and secured. Finally, companies should ensure they have the right to audit the service provider, in order to verify the compliance with the contractual requirements, including in terms of security. And then, during the course of the contract, companies should effectively audit their service providers, in order to ensure they comply with their contractual undertakings.
Trull: Before trusting data to a cloud service provider, companies should perform some form of due diligence to ensure that data will be protected according to its level of classification. This may include reviewing the results of third-party audits, ensuring that required contractual agreements are in place like a HIPAA business associate agreement, and evaluating specific controls such as those ensuring data protection in-transit and at-rest. And depending on the type of cloud service being consumed, customers will still be responsible for implementing certain controls to protect their data and should be clear on what those are and have a plan for ensuring those controls are in place and operational. Finally, it is critical that companies ensure it is clear in their contract that they own their data and that the ownership never transfers to the cloud service provider.
Vibbert: As with all third-party service providers that impact a company’s overall cyber security risk, companies should employ a service provider due diligence framework. Depending on the type and amount of data the cloud provider will be handling and the users who will be interacting with the cloud service, companies should complete cyber due diligence prior to contracting with the provider. The extent of this diligence may vary based on the determined risk the provider introduces – learned from questionnaires, access to certifications or annual onsite audits. Companies should also ensure contracts with those cloud providers, as with other third parties, contain representations and warranties with respect to its cyber security practices, as well as a level and type of cyber insurance commensurate with the risk. For cloud services use which has not been authorised by the company – to a social media site or file transfer service, for example – and is not under the company’s control via a contractual arrangement, companies should consider DLP techniques to avoid the use of those cloud services, such as blocking access to personal cloud service providers from the company’s network.
Allison: One of the greatest risks in cloud-based services is the erroneous assumption that, if it is in the cloud, it must be secure. In many cases, cloud service providers lack the preventative and detective controls to provide the assurances to the owner of data that is stored in those cloud infrastructures, and without accounting for one’s own security controls, risk is as significant, or worse, as it would be in one’s own infrastructure. Many cloud service providers are improving their support of customer-provided security solutions, such as customer-provided key management infrastructure, cloud access security brokers, DLP support, integrated identity and access management solutions and the integration of correlated logging for security events. When considering a cloud service, one should focus on a cloud service provider that enables all the current security controls sets, plus the additional security functionality.
FW: What role does data breach insurance have to play? Are more companies seeking coverage in this area?
Allison: There is a significant increase in the use of cyber insurance, especially in organisations that rely heavily on application infrastructure for delivery of services to clients. Cyber insurance does not guarantee compliance with regulations, does not provide an assurance of a secure infrastructure, and does not solve the reputation problem associated with a potential breach. It does, however, force organisations to take their security controls and regulatory compliance seriously. Insurers are performing audits on security controls, and that additional level of review is forcing conversations in the C-suite to ensure that proper investment is made in security infrastructure. With laws and industry expectations requiring breach notification and mitigation services such as credit monitoring, cyber insurance is an excellent way to ensure that those costs, as well as remediation services, are paid for.
Vibbert: Companies should consider insurance coverage as part of a holistic risk management programme. While more companies are seeking cyber insurance, they have not yet developed a formalised process for evaluating coverage. Many cyber insurance policies only cover certain costs resulting from certain types of data loss. For example, many policies will cover the costs associated with breach notification resulting from a malware attack. Most cyber policies will not cover business interruption resulting from a distributed denial of service (DDoS) attack, though. It is also unclear whether those same policies, or traditional general liability policies, will cover personal injury resulting from a data breach, which may arise if an attack occurs in certain high-risk industries. Companies should therefore consider what their current insurance policies may cover, determine what critical coverages should exist depending on the type of company and make reasoned decisions on how cyber insurance can play its role in cyber risk management.
Trull: Data breach insurance continues to be one of the primary vehicles that a business can use to manage its exposure to a breach. Most enterprise customers I work with have cyber insurance to help absorb some of the financial costs associated with a data breach. Cyber insurance is not as common in small and medium sized businesses. However, insurance companies are working to provide new, tailored policies that are more affordable and valuable to this market segment.
Haas: Data breach insurance will play an increasing role as data breaches and losses can be extremely costly for businesses, and it is becoming good practice to take on insurance covering data breach and cyber security events. In this respect, insurance is not a perfect solution because in the event of a major data loss, the operational and reputational damage can be significant, in spite of the financial compensation resulting from the insurance coverage. But insurance should definitely be considered as a component of the overall data loss mitigation plan; and an increasing number of businesses are taking on insurance coverage.
FW: How do you expect the data loss prevention space to develop over the years ahead? Do companies need to continually improve best practices to keep up with evolving threats?
Vibbert: Moving forward, companies will continue to develop and focus on two aspects of DLP, recognising that efforts need to be continually reviewed and adjusted based on the evolving threat landscape and the company’s risk profile. First, companies will continue to become more culturally aware that DLP and other cyber security issues are an essential part of enterprise risk management. This culture shift must emanate from the highest levels – from the board and the C-suite – and must permeate the entire organisation through training, incentives, testing and audit. Second, technology will continue to improve to provide a technological backstop to cultural change. Technology providers have already begun and will continue to improve upon user-based behaviour analytics and reaction. Thus, when someone in the organisation begins to access, move or otherwise affect data outside of his or her normal usage patterns, the organisation can react immediately.
Haas: Our expectation is that the DLP space will significantly expand over the coming years, as IT systems inevitably become more and more comingled and with a stronger share of cloud-based services, creating more risks in terms of data loss. Companies will definitely need to keep on monitoring market trends and adapt their practices in order to ensure an adequate level of protection.
Allison: DLP solutions will likely become consolidated with support for various solutions to begin to fall into fewer DLP providers. Security vendors will likely consolidate email DLP, endpoint DLP, network DLP and server DLP with mobile device DLP, and DLP in cloud and cloud access security brokers. They will likely make greater use of cloud-based DLP solution providers. Greater visibility, global capabilities and consolidated DLP views will significantly improve DLP capabilities over the next few years.
Trull: I expect to see new and innovative companies appear with regard to the protection of data no matter its location, basically ensuring that protection and control follows the data as it leaves the corporate network. I would also expect to see new innovations with regard to intelligent data classification and protection. I have also seen several new solutions that aim to make data protection and classification easier. Unfortunately, many of the existing solutions can be burdensome to the user and prone to false positives. As for new threats, I believe there will be a renewed emphasis on protecting companies from ransomware and destructive attacks. In such attacks, data integrity and availability are being attacked and need to be considered as part of any data protection programme.
Allen Allison is an experienced IT security specialist with proven expertise in developing and implementing security policies and controls for a wide variety of industries, including state and federal government, banking and finance, healthcare, manufacturing, pharmaceutical, and online merchant. He has a strong background in maintaining risk management programmes, compliance and certification programmes, and disaster recovery and business continuity planning. He can be contacted on +1 (623) 516 5892 or by email: firstname.lastname@example.org.
Olivier Haas is a member of Jones Day’s cyber security, privacy and data protection practice, and has extensive experience in the fields of technology and intellectual property. His practice is focused on IT, internet, e-commerce, cyber security and data protection. For more than 15 years he has advised French and international businesses – from startups to major international groups of companies – in connection with the preparation, negotiation and implementation of their technology and digital content-related projects. He can be contacted on +33 1 56 59 38 84 or by email: email@example.com.
Jonathan C. Trull leads Microsoft’s team of worldwide chief security advisers in providing thought leadership, strategic direction on the development of Microsoft security products and services, and deep customer and partner engagement around the globe. Mr Trull joined Microsoft in 2016 as an experienced information security executive bringing more than 15 years of public and private sector experience. Previously, he was vice president and chief information security officer with Optiv. He can be contacted on +1 (720) 528 1838 or by email: firstname.lastname@example.org.
Jami Mills Vibbert is a member of Venable’s privacy and data security practice and advises and counsels clients on matters related to data security, data protection and data risk management. She conducts comprehensive data security risk assessments and gap analyses, and develops and implements data risk solutions and breach prevention and incident response programmes. Ms Vibbert also assists clients on a wide variety of complex litigation, including incident response investigations and litigation, focusing on the healthcare and financial institution industries. She can be contacted on +1 (212) 370 6288 or by email: email@example.com.
© Financier Worldwide