Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/25/2014
10:30 AM
Todd Feinman
Todd Feinman
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Data Management Vs. Data Loss Prevention: Vive La Différence!

A sensitive data management strategy can include the use of DLP technology, but it also involves a comprehensive understanding of where your data is and what specifically is at risk.

Cyber criminals have grabbed headlines for many highly publicized data breaches in recent years. However, the greatest source of blame for many of these incidents should be placed on the shoulders of organizations that don’t properly manage sensitive data. The obvious reason: Criminals harvesting personally identifiable information expend far less effort in companies where insufficient security controls expose mass amounts of data.

What’s most effective in data protection is a holistic approach. Where organizations go wrong is in confusing sensitive data management with data loss prevention (DLP) software. Let’s start by more clearly defining the terms.

DLP keeps critical data from escaping the confines of the network, usually by an employee unknowingly emailing it. Sensitive data management is a strategy that incorporates people, process, and technology using technology that focuses on data discovery, classification, security governance, and protection. Sensitive data management can include the usage of DLP technology, but, taken as a whole, it is a comprehensive strategy to identify where your data is, what is at risk, who has access, when it is touched, and how to protect it.

Most organizations incorporate seven steps into their sensitive data management best-practices:

  • Defining what the organization deems as sensitive information
  • Knowing where sensitive data is and who has access
  • Classifying data in terms of importance and potential harm to your organization, if stolen
  • Identifying who the data owner is
  • Governing the accountability of data owners
  • Determining if data is necessary or obsolete and if it poses unnecessary risk
  • Eliminating data as soon it is no longer necessary or protecting it if it must exist

Natural consequences
The consequences of not deploying an effective sensitive data managing strategy can be quite severe and take many years to undo, if it all, as many breached organizations have learned the hard way. Some consequences include:

  • Compliance fines, legal costs, and insurance premium hikes. From HIPAA to SOX to PCI-DSS 3.0, there are any number of regulations that require organizations to protect this data and levy monetary penalties for not doing so. As a result, legal spend and insurance premiums also increase.
  • Lingering sales drop. A Javelin Research study (sponsored by Identity Finder) shows that in the finance, retail, and healthcare industries, up to a third of consumers will stop doing business with organizations that are breached.
  • Increased IT cost and inefficiency. Excessive data is not only a recipe for a breach nightmare, but it takes up space on your network and makes the task of locating data more difficult. What’s more, it is an organization’s responsibility to protect all the information customers have entrusted it with.

Organizations in all industries need to do a better job of managing sensitive data. Many are holding on to more data than they need and are at great risk that it could be stolen or exposed. In an era when cyber criminals are sharpening their skills on a daily basis, businesses should take inventory of every piece of data they own, classify it, protect it, and govern its access. Getting breached is bad enough, but losing data that had no business being there in the first place is even worse.

Todd Feinman is President and CEO of Identity Finder, which he co-founded in 2001. He is an identity theft expert and an internationally published author, writing Microsoft's reference book on securing Windows and McGraw Hill's university textbook on managing the risks of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dlpexpert
100%
0%
dlpexpert,
User Rank: Strategist
11/26/2014 | 1:58:37 PM
Best Practices for Data Security Global Governance, Risk & Compliance:
Additional Best Practices for Data Security Global Governance, Risk & Compliance:

- Be aware of the data that is being sent out of your control, either to an employee's cloud, the organizations own cloud, an employee's flash drive or via any of the 65,000+ available channels. It only takes a few seconds for a trusted employee or untrusted entity (e.g. malware) to send data such as PII or PCI to the cloud or "phone home", violating compliance regulations &/ or policy. You need to understand and know what data was sent, from where and to where it's going.

- Know what data you can send out of the network and where to. When data travels cross borders, as it does so often, the risk increases on an exponential basis for the data owner.

- Detection accuracy ensures you protect the correct data with the proper control and be alerted to irregular activity. Some data needs to be blocked, some just encrypted while other information can leave without any issue. Many "DLP" solutions cannot accurately provide both the content & context awareness to respond.

above cited from GTB technologies advanced data protection DLP website "  Best Practices for Data Security Global Governance, Risk & Compliance"   
Broadway0474
50%
50%
Broadway0474,
User Rank: Apprentice
11/25/2014 | 10:32:29 PM
Re: 7-step program
Marilyn, good questions. I would add to those: Who should lead the effort? And are some companies "too far gone" start over with data management? 
Bprince
50%
50%
Bprince,
User Rank: Ninja
11/25/2014 | 9:15:51 PM
Re: 7-step program
Certainly database admins and security, but I would also say line of business people should be involved as well to make sure there is an understanding of what data is truly critical. That seems like a good start to me.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/25/2014 | 3:27:32 PM
7-step program
Good blog, Todd. Curious to know how long it takes to develop a data management plan and who is involved in the process.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-23369
PUBLISHED: 2021-05-10
In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor 1.4.3.3.
CVE-2020-23370
PUBLISHED: 2021-05-10
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/1.4.3.3/php/controller.php action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.
CVE-2020-23371
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in static/admin/js/kindeditor/plugins/multiimage/images/swfupload.swf in noneCms v1.3.0 allows remote attackers to inject arbitrary web script or HTML via the movieName parameter.
CVE-2020-23373
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
CVE-2020-23374
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/article/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.