Stop Data Loss!
- From CIO Digest, January 2010 Issue ( Download This Entire Issue in PDF)
Data loss prevention—it’s a journey, not a destination
A number of organizations are already well down the road of minimizing risks from data loss. What can you learn from them? What roadmap can take you past hazards and reveal shortcuts to benefits?
How can you win the resources needed for a data loss prevention initiative? And since 67 percent of data breaches are unintentional, how can you change the behavior of employees and make them more aware of data security?*
To accelerate your organization’s progress in data loss prevention, CIO Digest gathered key insights from leading IT decision makers and analysts.
First, herd cats
Winning an organization-wide commitment in this area can seem challenging. “However, it’s a critical first step to build a framework for collaboration among the board of directors, IT, the legal department, and HR,” says Gianluca D’Antonio, chief information security officer at Fomento de Construcciones y Contratas, S.A. (FCC). “One of the mistakes someone in my position can make is to go straight toward the target of mitigating risks.”
D’Antonio has a big framework to build. FCC is an environmental and construction services company based in Madrid, Spain, with 14 billion euros in annual revenue and 93,000 employees in 54 countries. The first step was to classify data and determine what needed protection.
Rich Mogull, analyst and CEO at Securosis and a frequent author and speaker on data loss prevention advises: “Get your executives in a room and say, ‘Look, we need to stack rank. Which of our data is more important?’ As a security specialist, it’s not your job to define that.”
Don’t rush or compromise when setting information security policy, adds D’Antonio. “It’s a common mistake,” he observes, “for information security managers to compromise on data loss prevention policies to move quickly and win approval. They leave out important requirements, but it’s difficult to update policies later. Take an extra three months if needed, but begin strong.”
Limit the scope of your pilot. Says analyst Mogull, “Trying to figure out what your sensitive data is, where it is, who needs to use it, and how it’s being used is a pretty difficult process. So my recommendation to most organizations is start small. Where I see companies failing is when they try to jump over everything all at once and solve all their data security problems, usually by clicking checkboxes on policies in a tool.”
Gain visibility from technology
Technology used the right way, however, can help build the collaboration that data loss prevention requires. Contributors to this article sought a solution that could find sensitive data wherever it is stored and show how it is being used. They wanted one that could help define policy across the organization, give visibility into policy violations, and enable a process for remediating and reporting on incidents.
To provide these capabilities, FCC chose Symantec Data Loss Prevention. Says analyst Mogull: “I like these new data security technologies because for the first time, we are gaining the ability to protect our information with minimal interference to business processes, and can do so in a more automated fashion.”
Think like you’re under attack
To minimize the risks of data breaches, it helps to have an attitude like Bill Donohue, chief information officer of 24 Hour Fitness, a privately-owned operator of 460 health clubs with over four million members.
As a young officer in the United States Marine Corps, Donohue learned to make IT work under threat of attack during Operation Desert Storm in Iraq. “We were way ahead of industry and the civilian market in trial and error of new technology,” he says. “We were literally concerned about national security. Security has always been high on my list.”
As a result, Donohue requires 24 Hour Fitness to undergo four security audits a year—two internal and two external—and to comply with IT Infrastructure Library (ITIL), Payment Card Industry (PCI), and Sarbanes-Oxley (SOX) security regulations—even though it’s a private company. “We look at auditors as partners, not bad guys,” Donohue explains. “We want them to find whatever problems we haven’t seen, and we want to expose whatever we can to them so that we can get better.”
100 percent payback in one prevented incident
The company chose Symantec Data Loss Prevention to monitor network and email traffic for sensitive data in motion and to alert the security team about violations in policy. “Symantec Data Loss Prevention improved our security posture immediately,” says Tim Segneri, the vice president of operations and technology management at 24 Hour Fitness. “We found some groups that we didn’t realize handled credit cards, and it created more opportunity for education. We’ve used it for more than a year, and it is changing behavior. The number of security policy violations has decreased by about 80 percent.”
That’s a valuable result because the latest industry figures show the business cost for each record lost in a breach is about $200. “We’re running almost four million active records,” Donohue notes. “The loss of 10 percent of those or 400,000 records could cost $80 million. Symantec Data Loss Prevention pays for itself in one prevented incident.”
Automate and prioritize encryption
Sensitive information is the primary asset at BCD Travel, which is the world’s third-largest travel management company, operating in more than 90 countries with 13,000 employees. The challenge is how to protect it.
“Book an international trip with us, and we have to know your name, date of birth, credit card information, and passport number,” says Sherron Smart, director, information protection and security at BCD Travel. “That’s clearly personal identifiable information. And that kind of information would be received in an email. Symantec Data Loss Prevention gives us the ability to see sensitive data in motion and see how important this type of communication is to our business.”
Gain from layers of protection
According to interviewees, a solution like Symantec Data Loss Prevention should be one of several layers of protection that can be integrated to further minimize risks.
24 Hour Fitness recently watched Symantec Endpoint Protection deflect phishing attempts that sought to plant Trojans on its network. “There has been a rash of attacks through messages seemingly from Facebook,” says Segneri. “Our junk email filter flagged them as suspicious, but employees, worried about their Facebook accounts, forced them through anyway onto their desktops, where Symantec Endpoint Protection grabbed them again and quarantined them. That’s a good example of defense in depth protecting us when you can’t stop people from doing things they think are important.”
Another way to protect sensitive information is to gain greater control over how it is handled during e-discovery. Symantec Enterprise Vault helps the 24 Hour Fitness team quickly freeze email involved in potential litigation, research it, and produce evidence, showing in minutes what could take days to find if restoring from tape backups. “By having internal communications quickly available, we can stop a lot of frivolous lawsuits,” Donohue says.
It’s also easier to prevent data loss if there is less data on hand. At 24 Hour Fitness, Symantec Enterprise Vault is used to enforce a policy of retaining email for only 90 days, after which all messages are deleted. For a small group of senior employees, Enterprise Vault journals a copy of all messages and archives messages older than 90 days.
Sensitive data at 24 Hour Fitness is further secured because it is centralized at a protected data center. No data resides at any of the company’s 460 clubs. “All our applications are Web-based,” notes Segneri. “The only application used by the clubs is Internet Explorer. And all Internet access at the clubs is through a white list of approved sites.”
|< Previous Page||Page||5||of||5|
Empower and secure a mobile workforce
At BCD Travel, a multi-layered security strategy is helping the workforce become increasingly mobile, yet protects sensitive data. “Symantec Endpoint Protection, with Symantec Network Access Control, gives us the ability to prescreen endpoints before we allow them to attach to our network,” says Reggie McNeill, vice president, infrastructure and operations at BCD Travel. “It ensures they have the correct virus definition files, Microsoft security patches, and whatever other parameters we put in place.” BCD Travel can now provide agents working at home in North America with full access to network resources, and more than a third of BCD employees now work remotely.
Concerned about submitted data, many customers are requesting an end-to-end encryption strategy, according to Smart. “That can get very costly,” she notes. “We use Symantec Data Loss Prevention to detect personally identifiable information in an email destined for a customer and flag it to be encrypted. At the same time, it enables hundreds of thousands of other emails every day to avoid being encrypted unnecessarily. It helps us prioritize and automate where we need to use encryption. That saves time and money.”
Symantec Data Loss Prevention also plays a key role in the gains from mobility. Says Senior Vice President Hilton Sturisky: “A great deal of expense can be removed from the bottom line. With the price of real estate, we often find that people can be as effective working from home as they can in the office. And by making hotel cubicles available and having fewer offices, we can still get the right amount of collaboration that we need. If we want to attract and retain the right employees, we need to be able to adapt to a flexible and mobile workforce—but at the same time, we can’t lose sight of protecting customer data. Symantec Data Loss Prevention on our endpoints gives us the assurance our policies will be enforced.”
Get up to 70 percent savings from the cloud
FCC chose to receive Symantec Data Loss Prevention as a cloud-based service from a telecommunications company. The provider’s security operations center monitors the solution on 1,000 FCC endpoints and tracks another Symantec Data Loss Prevention module that inspects network traffic for more than 10,000 FCC users.
D’Antonio adds: “Our cloud-based service provider’s expertise with Symantec Data Loss Prevention is greater than our own, and service level agreements let us link payment to project success. We get three years of service for about the cost of owning the solution, saving around 70 percent in one year of investment.”
Reduce compliance staff time by 50 percent
Another benefit at FCC is easier compliance. “In Spain, we have the Organic Data Protection Law, which is very strict about how personal data can be handled,” D’Antonio observes. “Symantec Data Loss Prevention automates our verification, showing where personal data goes and who accesses it. Our compliance verification time is reduced by 50 percent.”
Accelerate the business
To win new business at BCD Travel, it’s now almost a given to be able to show that the risks of data loss have been mitigated, says BCD Travel’s Sturisky.
Minimizing risks is only one of the gains. “When the IT security team works on data loss prevention, we have a unique perspective on processes, across the silos of the business, and we can capitalize on unique insights,” Sturisky notes. The company is already tweaking communication channels to create a competitive advantage after being able to observe how customers prefer to transmit sensitive data.
More opportunity lies ahead. “We serve a third of Fortune 500 companies and have real-time data on their travelers,” Sturisky continues. “If you’re on a connecting flight and we see it will be late, the system could trigger action that gets a new connection booked for you, or a hotel room, so you don’t have to start frantically making phone calls when you land.”
Sensitive data, once it is secured by a solution such as Symantec Data Loss Prevention, Sturisky concludes, can provide just the edge that enables the business to grow.
* 2009 Data Breach Investigations Report, Verizon Business Risk Team.
Alan Drummer is Creative Director for Content at NAVAJO Company. His work has appeared in the Los Angeles Times, San Francisco Examiner, Create Magazine, and on The History Channel.