Data loss prevention (i.e. outflow of confidential data) is not just a technical matter – it is important to involve employees, as measures will not work without them. These approaches are promising.
Text: Andreas Heer, 18 june 2019
It happens fast: the email sender is in a hurry, selects the wrong recipient and, before they know it, a confidential product presentation has been revealed to the outside world. Or a USB stick (unprotected, of course) is lost somewhere on a business trip. Or, worse still, an employee discloses confidential information intentionally.
As these examples show, protecting confidential company data is both a complex and important matter. As the name suggests, data loss prevention (DLP) – also referred to as data leakage prevention – describes all measures intended to prevent unwanted loss, leakage or exfiltration of company information. Compliance requirements imposed by data protection legislation and regulations play an important role here, as breaches can lead to heavy fines. But the company’s reputation is equally important, since it helps to generate trust among customers. ‘Customers rightly expect companies to treat the data entrusted to them in a confidential manner,’ says Raffael Peluso, who is responsible for security solutions at Swisscom. A data breach can thus also result in the business losing customers.
At the same time, data is becoming increasingly important for companies as a result of digitalisation. Intellectual property stored digitally must be kept hidden from outsiders, as must a product roadmap that could give a rival a competitive advantage. Again, DLP measures are required.
The example described above, with the wrong email recipient, shows that DLP must include a combination of technical measures, processes and employee awareness. Although in this case, it may have been technically possible to prevent dispatch of the product presentation, an employee trained in handling confidential data wouldn’t have even considered sharing the file by email. The study ‘Cost of a data breach’ shows the importance of raising awareness alongside technical measures: about a quarter of all data theft carried out in the US in 2018 is said to have been made possible by human error. When employees apply this knowledge in their daily work, the error rate is minimised. In other words: awareness equals protection.
There are various ways to train employees, some easier than others. ‘I have found e-learning, such as in the form of instructional videos with test questions at the end, to be a good method,’ says Peluso. ‘The training should be accompanied by other information campaigns; for example, on the intranet.’
Preventive awareness activities such as these help to generate an understanding of how to handle confidential data – and also of the necessary guidelines, processes and technical protective measures. But it is not possible to guarantee complete security. If an employee has criminal tendencies, they will find a way to get around the protective measures, believes Peluso: ‘Like any security measure, data loss prevention is a trade-off between effort and risk.’ He believes that the success of data loss prevention depends on how it is implemented: ‘The measures must not interfere with day-to-day operations. Otherwise, employees will be reluctant to accept DLP and will find creative ways to bypass it.’
More on the topic