That attention-grabbing question was posed by Steve Roop, Senior Director of Data Loss Prevention at Symantec, at the recent FSI Executive Summit
in Las Vegas. Roop led an FSI Executive Summit session focusing on why DLP has emerged as a top priority for financial services companies in 2008.
Kicking things off, Roop said that while securing the network from hackers was the #1 data security priority just a few years ago, now the real threat stems from faulty business processes and employee oversight.
“That’s why an estimated 215 million records have been breached just since 2005, and no one is immune,” he said. “We estimate that data loss costs the financial services industry $239 per record, which is 17.5% greater than the industry average.”
Roop went on to say that, according to Symantec estimates, one out of every 50 network files is wrongly exposed, one out of every 400 emails contains confidential information, and that four out of five companies have lost data on laptops.
One major problem is that today just about anybody can access and distribute information in unlimited volumes, and organizations have come to depend on that fact.
“Which means that securing the network is no longer enough,” Roop explained. “We believe it’s time to secure the data itself. You need a next-generation security solution that can protect your data anywhere – in storage, on the network, at the endpoint.”
That means organizations need to ask themselves the following questions:
- Storage Where is my confidential data exposed? Who has access to my confidential data? Is my data exposed to unauthorized users? Can I relocate data stored inappropriately?
- Network Where is the data being sent? Who is sending confidential data? How can I prevent my data from leaving the company?
- Endpoint What confidential data is being copied to removable media? Who is copying confidential data at the endpoint? How is that data being used?
Of course, detecting data breaches is just the beginning. Organizations are also need to automatically enforce data security policies.
“You need to ask yourselves how do you enforce your data security policies?” Roop said. “How do you empower your business units to protect their data? How do you change employee behavior?”
Roop then provided an overview of Vontu Data Loss Prevention from Symantec. Vontu DLP is an integrated solution that combines endpoint and network-based technology to discover and protect data wherever it’s stored, as well as monitor and prevent it from being used inappropriately.
Roop cited the experience of CIGNA, one the nation’s largest health services organizations, which handles enormous volumes of protected health information, Social Security numbers, and credit card numbers. The $16.5 billion company recently implemented the Vontu DLP solution.
“We felt that the Vontu DLP solution was clearly the best solution for our needs,” said Craig Shumard, CIGNA’s Chief Information Security Officer, via webcast. “The management console stood out because it let our incident response team instantly see and respond to issues. The Vontu DLP solution also offered us the flexibility to write one set of rules to cover both data in motion and data at rest—helping to provide consistent protection no matter where our data happens to be.”
Shumard noted that CIGNA employees “are trying to do the right thing, but they may send data out without enough thought given to its sensitivity.” He said automated policy enforcement reminds employees to follow encryption policies, helping to strengthen the overall protection of sensitive data.
Symantec believes that, to be seriously considered, a data loss prevention solution must address the following key requirements:
- Discovers and protects confidential data wherever it is stored or used. A comprehensive solution that effectively lowers risk must enable you to accurately discover exposed confidential data stored on file servers, document, and email repositories, Web sites, relational databases, or other data repositories. Once this data is identified, the solution should enable you to protect it by automatically applying data protection policies through integration with data encryption, storage tiering, and archiving systems.
- Monitors all data usage and prevents confidential data from exiting any network gateway or endpoint. Preventing confidential data from being transmitted outside your organization first requires comprehensive monitoring of multiple exit and endpoints. Email is only part of the problem. A solution that effectively reduces your risk of data loss across all business processes must combine comprehensive monitoring with prevention. It should accurately monitor and prevent security violations for all data types and all network protocols, including email, instant messaging, secure Web, FTP, P2P, and generic TCP sessions over any port.
- Accuracy is critical. To achieve the highest level of accuracy, the software solution must keep false negatives low to reduce the risk of a data breach. It must also keep false positives low to minimize review time, enable automated enforcement, and protect employee privacy. Advanced detection technology is an important element in detection accuracy, but it’s not the only element. The highest level of accuracy in data loss prevention requires three dimensions: content, context, and scale.
- Automated policy enforcement. Without automated policy enforcement, it’s estimated that teams responsible for alerting offenders and managing remediation would experience an increase of two to five times their normal workload. A best-in-class solution should employ intelligent, highly productive incident response capabilities that enable you to automate policy enforcement with flexibility.
- Visibility and control over encrypted data. Make sure the solution employs features that enable you to monitor and prevent the transmission of data that violates encryption policies. First, you must have visibility and control over encrypted information that hasn’t been approved for external distribution. Second, you must be able to enforce encryption policies for confidential information that has been approved for external distribution.
- Safeguards employee privacy. If not managed correctly, a data loss prevention solution can create an environment of employee mistrust—or expose the organization to fines and lawsuits for privacy violations. An effective solution needs to balance the requirement for corporate protection with the need for employee privacy.
- Proven global scale and architecture. One of the key questions to ask potential providers is, “Is your solution proven in production at FORTUNE 100 customers?” If it can successfully perform in these environments, chances are it is a strong enterprise-scale application. Also ask about integration partnerships with best-in-class security infrastructure vendors.
Increasingly, the loss of confidential records (particularly those containing sensitive personal information) is having a severe financial and brand-related impact on organizations entrusted with this type of information. The cost of data loss is also escalating, with many well-documented cases of fines and lawsuits running into millions of dollars.
As attendees of Symantec’s FSI Executive Summit learned, Symantec endorses the implementation of a robust, auditable information risk management program, one that ensures the most significant risks are mitigated quickly and effectively and that provides protection from this type of threat on an ongoing basis.