Wednesday, Jan 12, 2011

Gulf News

Small enterprises need to deploy customised data leakage protection solutions to track how essential information is created and stored

Dubai: Small and medium enterprises (SMEs) may get most of their basics right, but one glaring lacunae they tend to overlook is protecting their data.

According to a recent survey conducted by Symantec Business Check-up, 80 per cent of small businesses have a medium to high vulnerability to risk. That, to put it mildly, is a lot.

We know from our research among small businesses that there are wide variances in how essential business information is stored and protected, despite the fact that many of them are subject to industry regulation, Saurabh Arora, manager for small and medium business, Symantec Middle East and North Africa, said.

Tracking and audit

According to the companys survey, 35 per cent of small businesses have little or no ability to track and audit the way information is created, modified, deleted, accessed and moved, which would leave them exposed to significant risks.

Without possessing, using and controlling appropriate information, businesses are not able to operate normally, a senior official at DeviceLock said. This is why any loss or leak of an organisations data equals the loss of assets.

Such a leak often results in financial losses, damage to corporate reputation, loss of clients and may ultimately lead to the loss of business. Therefore, protecting your business data literally means protecting your business.

Companies which do not take the onus of plugging potential gaps in their IT security expose themselves to the leakage of critical information through multiple channels, specifically open access on USB ports on user desktops.

The only difference between a small start-up and a large organisation is that the latter is able to invest a lot more money and labour resources for purchasing and deploying a data leakage protection (DLP) solution, said the official with DeviceLock.

A small business should carefully choose among available DLP offerings based on a price/performance metric to ensure the highest RoI [return on investment] in protecting its data.

As part of budget cuts, many SMEs are skimping out on such softwares and placing themselves at risk. This is despite the fact that monetary losses large organisations incur as a result of data breaches reach millions of dollars.

IT budgets

IT budgets are under pressure as organisations of all sizes try to cut back in the current economic climate, Arora said.

Almost every small business can save significant amounts of money and energy by simply taking a fresh look at the way they approach information protection.

Most organisations based in data sensitive industries need to make sure they comply with national and state regulations, as well as industry standards in the field of information security.

To make sure theyre not working outside these regulations, they should be able to record and trace back all user actions with their end point input/output ports and use of peripheral devices. This also extends to network communications such as e-mails, instant messaging, and social networking.

An effective logging and data shadowing solution is another important factor of increasing employee self-discipline, said Khazi Mohammad Akram, general manager at RasInfo Tech Ltd. and distributor for DeviceLock.

They will know all their data leak-risky actions will be recorded for further compliance auditing and may be used as evidence should any security incident happen as a result of their misconduct or mistakes.

Around 70 to 80 per cent of organisations are aware of and concerned about protecting their data from uncontrolled leakage. However the percentage of large enterprises that use DLP is at a much lower level of 15 to 20 per cent.

The number of SMEs with a similar IT regime in place is even lower.

Security breaches

Those organisations that do not use DLP solutions are under increasing risk of data breaches resulting from external threats like network hacking or malware infiltration, as well as from internal threats like insider negligence, mistakes and misconducts, said a senior official with DeviceLock.

If a breach happens, it may lead to severe financial losses and fines for organisations due to their failure to comply with state regulations. It may as well result in damage to company reputation and image, loss of clients and might heavily damage the entire business.

Two categories

DLP solutions can be categorised into two types: network-resident and end point-based.

The former includes DLP appliances that are installed on the border of a corporate network to intercept, analyse and block the transfer of those data that are prohibited to leave the organisations border.

These are effective in preventing data leakage through network communications from e-mail, instant messengers, peer-to-peer file sharing and social networks.

One of the big mistakes businesses make is by following the marketing hype around DLP technologies and end up with the wrong appliance.

Enterprises should first research and choose from existing DLP offerings, then assess and enhance its effectiveness as the organisations requirements evolves. The organisations DLP strategy should account for its specific business field and threat profiles.

Top Tips

Securing your company against data leakage can be whittled down to a few basic pointers:

  • Enterprises need to first look at a few key areas such as what type of data they want to monitor and control; what steps can they take to reduce any risk of losing or jeopardising that data; and how can these goals be achieved in a simple and cost-effective way.
  • IT managers or information security officers should then develop a data protection policy which is an integral part of the corporates IT security policy. The policy should be created based on government regulations and the industrys information security standards.
  • Once the business-level data protection policy has been developed, it should be incorporated into a corporate-wide DLP policy. Content specifications should define what kind of information this policy protects, for example, whether it is intellectual property (IP), corporate confidential information, or consumer data.
  • The next step would be deploying and monitoring the DLP solution. When the baseline DLP policies have been fine-tuned, IT managers could switch DLP agents from only monitoring to enforcement.
  • Corporate data protection practices should be audited, reviewed and, if necessary, adjusted on a regular basis to better comply with the organisations corporate security policy.

By Aya Lowe, Staff Reporter

Gulf News 2011. All rights reserved.