Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/25/2014
10:30 AM
Todd Feinman
Todd Feinman
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Data Management Vs. Data Loss Prevention: Vive La Différence!

A sensitive data management strategy can include the use of DLP technology, but it also involves a comprehensive understanding of where your data is and what specifically is at risk.

Cyber criminals have grabbed headlines for many highly publicized data breaches in recent years. However, the greatest source of blame for many of these incidents should be placed on the shoulders of organizations that don’t properly manage sensitive data. The obvious reason: Criminals harvesting personally identifiable information expend far less effort in companies where insufficient security controls expose mass amounts of data.

What’s most effective in data protection is a holistic approach. Where organizations go wrong is in confusing sensitive data management with data loss prevention (DLP) software. Let’s start by more clearly defining the terms.

DLP keeps critical data from escaping the confines of the network, usually by an employee unknowingly emailing it. Sensitive data management is a strategy that incorporates people, process, and technology using technology that focuses on data discovery, classification, security governance, and protection. Sensitive data management can include the usage of DLP technology, but, taken as a whole, it is a comprehensive strategy to identify where your data is, what is at risk, who has access, when it is touched, and how to protect it.

Most organizations incorporate seven steps into their sensitive data management best-practices:

  • Defining what the organization deems as sensitive information
  • Knowing where sensitive data is and who has access
  • Classifying data in terms of importance and potential harm to your organization, if stolen
  • Identifying who the data owner is
  • Governing the accountability of data owners
  • Determining if data is necessary or obsolete and if it poses unnecessary risk
  • Eliminating data as soon it is no longer necessary or protecting it if it must exist

Natural consequences
The consequences of not deploying an effective sensitive data managing strategy can be quite severe and take many years to undo, if it all, as many breached organizations have learned the hard way. Some consequences include:

  • Compliance fines, legal costs, and insurance premium hikes. From HIPAA to SOX to PCI-DSS 3.0, there are any number of regulations that require organizations to protect this data and levy monetary penalties for not doing so. As a result, legal spend and insurance premiums also increase.
  • Lingering sales drop. A Javelin Research study (sponsored by Identity Finder) shows that in the finance, retail, and healthcare industries, up to a third of consumers will stop doing business with organizations that are breached.
  • Increased IT cost and inefficiency. Excessive data is not only a recipe for a breach nightmare, but it takes up space on your network and makes the task of locating data more difficult. What’s more, it is an organization’s responsibility to protect all the information customers have entrusted it with.

Organizations in all industries need to do a better job of managing sensitive data. Many are holding on to more data than they need and are at great risk that it could be stolen or exposed. In an era when cyber criminals are sharpening their skills on a daily basis, businesses should take inventory of every piece of data they own, classify it, protect it, and govern its access. Getting breached is bad enough, but losing data that had no business being there in the first place is even worse.

Todd Feinman is President and CEO of Identity Finder, which he co-founded in 2001. He is an identity theft expert and an internationally published author, writing Microsoft's reference book on securing Windows and McGraw Hill's university textbook on managing the risks of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dlpexpert
100%
0%
dlpexpert,
User Rank: Strategist
11/26/2014 | 1:58:37 PM
Best Practices for Data Security Global Governance, Risk & Compliance:
Additional Best Practices for Data Security Global Governance, Risk & Compliance:

- Be aware of the data that is being sent out of your control, either to an employee's cloud, the organizations own cloud, an employee's flash drive or via any of the 65,000+ available channels. It only takes a few seconds for a trusted employee or untrusted entity (e.g. malware) to send data such as PII or PCI to the cloud or "phone home", violating compliance regulations &/ or policy. You need to understand and know what data was sent, from where and to where it's going.

- Know what data you can send out of the network and where to. When data travels cross borders, as it does so often, the risk increases on an exponential basis for the data owner.

- Detection accuracy ensures you protect the correct data with the proper control and be alerted to irregular activity. Some data needs to be blocked, some just encrypted while other information can leave without any issue. Many "DLP" solutions cannot accurately provide both the content & context awareness to respond.

above cited from GTB technologies advanced data protection DLP website "  Best Practices for Data Security Global Governance, Risk & Compliance"   
Broadway0474
50%
50%
Broadway0474,
User Rank: Apprentice
11/25/2014 | 10:32:29 PM
Re: 7-step program
Marilyn, good questions. I would add to those: Who should lead the effort? And are some companies "too far gone" start over with data management? 
Bprince
50%
50%
Bprince,
User Rank: Ninja
11/25/2014 | 9:15:51 PM
Re: 7-step program
Certainly database admins and security, but I would also say line of business people should be involved as well to make sure there is an understanding of what data is truly critical. That seems like a good start to me.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/25/2014 | 3:27:32 PM
7-step program
Good blog, Todd. Curious to know how long it takes to develop a data management plan and who is involved in the process.
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Today’s Enterprises
Assessing Cybersecurity Risk in Today’s Enterprises
COVID-19 has created a new IT paradigm in the enterprise — and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...