Data Loss Prevention Strategies for Institutions of All SizesInterview with DLP Expert Jared Thorkelson Data loss prevention (DLP) is a challenge for institutions of all sizes. But not all banking/security leaders understand the scope of the threat, where it originates and how best to eradicate it. In this interview, DLP expert Jared Thorkelson discusses:
TOM FIELD: The topic today is data loss prevention. We're talking with Jared Thorkelson, Principal with DLP Experts. Hey, Jared, thanks so much for joining me today. FIELD: You know, I'm fascinated about this topic, especially since you and I first talked. What do you find is most misunderstood in the data loss prevention space?
THORKELSON: Well, you know it seems that most companies believe the only way to address data leakage is through the purchase of a data loss prevention technology from one of the major DLP vendors. And I'm a strong advocate of these enforcement technologies, but there's also a lot that can be done by the company itself to build a solid foundation for the eventual deployment of a DLP enforcement tool. In fact, the DLP foundation has to be built in order to have a successful DLP deployment. So companies need to know that they can start building their DLP foundation now, even before they buy a commercial DLP solution.
FIELD: Now Jared, you've been in the DLP field for how long now?
THORKELSON: About 18 months.
FIELD: When you visit a banking institution, I know you've visited a number, what do you most commonly find regarding DLP?
THORKELSON: What is interesting is that the banks I've found understand the need for data loss prevention better than most industries, and they really want the technology, but these days it's been very difficult for a lot of these banks to secure the budgets to deploy a DLP solution. So it becomes kind of a permanent fixture on the future project list, and unfortunately as a result too little, I think, is being done to protect sensitive data and we're trying to change that.
FIELD: In the banking institutions now, what do you find to be the biggest sources of data loss?
THORKELSON: Well, you know there are two different aspects to that. The first is a very common source, and that's employees just trying to do their job, trying to get the job done and sending sensitive information via email. That's very typical. But, there is a bigger source that I think goes kind of masked and covered up, and that's broken business processes that continually expose sensitive information day in and day out. And I worked with one bank, as an example, that had a web-based form, and it was designed to shoot off an email to customer service, which was fine. What wasn't fine was that someone had set up a rule to automatically forward each of those emails, and that was dozens every day, to a few different people in the organization, and that email was leaving the network and clear text with the customer's first and last name, account numbers, everything. So it's really important to identify any broken business processes that are putting data at risk.
FIELD: You know that seems to be the key because as I'm sitting here listening to you, I'm realizing that we aren't just talking about data loss, we're talking about risk with people's personal information.
THORKELSON: Absolutely. It's a huge, huge problem for the banking institutions today.
FIELD: Now you deal with institutions of all sizes from the very large to the very small community banks ,and this is unfortunately an agnostic threat and is a threat to all of them. What do you find to be an institution's easiest solutions to data loss?
THORKELSON: Well, as I said before, most of the organizations looking at DLP think that the best way, or the only way really, to address this is with a full-blown DLP enforcement solution. But we've identified five steps that organizations can take to build their data loss prevention foundation, and the first is you need to assess the current data protection posture with a risk assessment. This is a very necessary but inexpensive first step that will help companies identify the major areas of concern. A good risk assessment will allow you to lay out all the pieces of the puzzle on the table so you get all of the who, the what, the where and how and this will enable you to direct action in the right areas.
The second thing is to identify the data you need to protect. For banks and other financial institutions this is usually the personally identifiable information, or PII, of their customers. And you need to be sure to review the results of the risk assessment to find out if there is any other data that needs to be protected, but also consult with other department heads who may remind you of data that you didn't even know needed to be protected.
Third is to establish a comprehensive data protection policy. From the results of the risk assessment and knowing what you do about the data you want to protect, establish a written policy for data protection and then down the road this written policy will become the basis for configuration of the DLP enforcement technology, but it can also be used immediately within the organization.
Fourth is to educate your users. You need to roll out the data protection policy to the whole company. Educate the users on the reason for the policy and the correct handling of data.
Fifth is to, as I mentioned before, find and fix broken business processes. This is the single most effective way of protecting data, this biggest bang for your bucks as it were. And the quickest and surest way to identify these broken processes is through a comprehensive data loss risk assessment that will clearly identify what is leaking and how. So doing those five things will help companies build a solid DLP foundation.
FIELD: See, this is why they call you the DLP expert Jared.
THORKELSON: Well, thank you.
FIELD: Now Jared I know, the listeners may not know this, but you come from the DLP vendor side and so you've got a unique perspective on this. I've got to ask you, in general, what do the DLP vendors not want institutions to know about these prospective solutions?
THORKELSON: Well you know, there are a couple of points that DLP buyers routinely don't fully understand and I won't go to say that the DLP vendors are withholding information, but in some cases for the benefit of the sale it is better not to let this information or really expose this information.
So the first thing is that most DLP solutions need to integrate with other network technologies in order to prevent, or that is to block, sensitive data from leaving the network. This presents wither an added cost or some level of added complexity to the DLP solution so that is something that buyer's should be aware of, but also you should know there are a couple of products in this space that can block without any third party integrations. The next thing buyers don't understand is the thing that we've touched on already, which is the broken business processes. During the risk assessment phase you are going to uncover, typically a couple or a few broken business processes that are putting sensitive data at risk all the time. And by simply addressing this processes and fixing the process, companies can clean up a large portion of their data protection problems.
FIELD: No, that makes sense. Boil it all down if you can Jared, if you could offer just a single piece of DLP advice to a financial institution executive, what would that advice be?
THORKELSON: Well, you know, I would have to say, do something. Budget or no budget. If you've got the budget, by all means implement a DLP solution, but if you don't have the budget yet, start building your DLP foundation now. You need to have something in place. Something is better than nothing, and all of this can be done fairly quickly and at a cost that can be usually pulled from existing budgets. You need to act now though; we can't wait too long.
FIELD: Good points. Jared I appreciate your time and your insights today.
FIELD: We've been talking with Jared Thorkelson, Principle with DLP Experts. You can find him at www.dlpexperts.com For Information Security Media Group, I'm Tom Field. Thank you very much.