Data Loss Prevention

 

Data loss prevention (DLP) is the control of access to data that a company is responsible for (Comparitech, 2022). If you’ve ever watched the spy drama series, “The Americans,” you are familiar with how spy agencies single out and target people who have access to sensitive government or military information. In 2015, in an incident that sounds a lot like an episode of “The Americans,” the U.S. Office of Personnel Management (OPM) fell victim to a cyber-attack. State sponsored hackers working for the Chinese government stole extremely personal information to include: social security numbers, fingerprints, and highly sensitive information used for background checks (Todd, 2022). A data loss prevention (DLP) plan would have made the OPM data safe so that hackers weren’t able to intentionally steal or destroy the data.

A DLP policy defines rules behind how a company shares and protects its data. It prevents access to data from anyone who should not have access to it and guides how that data can be used in decision making. Unfortunately a DLP policy is not sufficient alone to prevent data loss, it needs to be coupled with additional software that physically secures, classifies, and tracks the data. One example of this type of DLP software is Solarwinds Data Loss Prevention with ARM. Solarwinds is an industry leader in IT monitoring tools (Comparitech, 2022). The Solarwinds ARM software supports the DLP policy by providing clear reports on set access permissions. This makes it possible to evaluate existing controls and to add better ones. The key features of this software include: auditing for data protection standards, access rights manager, automated responses, and spots suspicious activities.

Data classification plays a big role in DLP. One of the first steps in protecting data is classifying it in order to establish what access controls to apply to it. In the civilian world, there are four types of information classification (ISO 27001):

·        Confidential (higher up, senior management has access)

·        Restricted (most employees have access)

·        Internal (all employees have access)

·        Public information (everyone has access)

With these different types of information come different types of access and access control. In addition to these classification types, there’s additional control that can be added to company data, such as: PII, PHI, and ePHI (U.y., 2020). PII is personally identifiable information, or any information that can trace someone’s identity, name, social security number, date and place of birth, mother’s maiden name, or biometric information. PHI is protected health information, or personal identifiable health information. ePHI is electronic public health information, or PHI that is created, transmitted, received, or stored electronically (U.y., 2020).

The Economist declared data to now be the most valuable asset in the world, even ahead of oil. Wars have been fought over oil in the past, just imagine what types of wars can be fought on the cyber level to both protect and steal data. Data loss prevention and data loss prevention policies are becoming a necessity in daily business. A company without DLP prevention is like an army without any defensive measures: no armor, no reactionary defense systems, no ammo, etc.

 

References

10 Best Data Loss Prevention Tools & Software. Comparitech. (2022, March 31). Retrieved April 26, 2022, from https://www.comparitech.com/data-privacy-management/data-loss-prevention-tools-software/

Data analytics: Why data is your company's biggest asset. Reea Global. (2022, April 12). Retrieved April 26, 2022, from https://reeaglobal.com/why-data-is-your-companys-biggest-asset/

Establishing a data loss prevention policy within your organization. Digital Guardian. (2019, December 5). Retrieved April 26, 2022, from https://digitalguardian.com/blog/establishing-data-loss-prevention-policy-within-your-organization#:~:text=A%20data%20loss%20prevention%20policy%20defines%20how%20organizations%20can%20share,Identifies%20confidential%20data

Irwin, L. (2021, June 23). ISO 27001 & information classification. IT Governance UK. Retrieved April 26, 2022, from https://www.itgovernance.co.uk/blog/what-is-information-classification-and-how-is-it-relevant-to-iso-27001

Todd, D. (2022, March 24). Top 10 data breaches of all time. Cybersecurity Conferences & News. Retrieved April 26, 2022, from https://www.secureworld.io/industry-news/top-10-data-breaches-of-all-time

U.y. (2020, July 3). PII vs. Phi vs. ephi. Medium. Retrieved April 26, 2022, from https://informationsecurity.medium.com/pii-vs-phi-vs-ephi-3b1f6cfa91d0